We are looking at a substantial Patch Tuesday from Microsoft for November.
Microsoft will publish 16 bulletins, with five of them allowing Remote Code Execution (RCE) – the type of vulnerability that attackers are particularly fond of. Overall, the additional 16 bulletins will bring Microsoft’s count up to 79, meaning that we will finish the year under 100 vulnerabilities, which is a bit lower than in 2013 and 2011 and probably on par with 2012.
Featured Download: Social media access at work. Do your employees know the rules?
A big release like this month’s Patch Tuesday covers all versions of the Windows operating system, (both for servers and workstations) the .NET stack, Microsoft Office, Sharepoint and Exchange. Plenty of work for IT admins on all levels, server, desktop and applications, but the focus should be on the top five:
– Bulletin #1 is rated critical for all versions of Windows and has RCE potential, i.e. the type of vulnerability that allows an attacker to take control over an infected machine.
– Bulletin #2, critical as well and covers all versions of Internet Explorer IIE from IE6 on Windows 2003 to IE11 on Windows 8.1. This will be our highest priority bulletin since attacks through IE are so effective that a whole industry is developing black market solutions, so-called exploit kits, to capitalize on its vulnerabilities. We track these exploit kits separately in our knowledge base and recommend all customers focus first on vulnerabilities that are in use by these toolkits that make exploitation available to everybody with the necessary budget.
– Bulletin #3 addresses again an RCE type vulnerability present in all versions of Windows. Again critical to patch as soon as possible.
– Bulletin #4 covers a vulnerability that is rated critical on desktop systems and only important on server type operating systems, where some additional mitigation technology is lowering the risk.
– Bulletin #5 is a bit odd and is rated critical on server type operating systems, but it has no criticality rating on desktop type systems even though they seem to contain the vulnerability. We will have to see what is really going on on Tuesday.
– Bulletin #6 is for Microsoft Word 2007 and addresses an RCE type vulnerability, which should be high on your list of fixes to schedule.
The remaining bulletins are mostly rated important and address Windows, the .NET runtime framework, Word, and the SharePoint and Exchange servers. There was not Outside In fix in last month’s Oracle CPU, so we can assume that the exchange vulnerability is in another part of Microsoft’s mail server.
Overall it will be a busy month for IT admins, plus we do not know where security advisory 3010060 from October 21 will be addressed. That advisory covered a vulnerability in the OLE packager that is in use in the wild, but I am not sure we will see a patch for it this month.
By Wolfgang Kandek, CTO of Qualys, Inc.
About Qualys, Inc.
The Qualys Cloud Platform and integrated suite of solutions helps businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.
Used by more than 6,700 customers in over 100 countries, including a majority of the Forbes Global 100, the Qualys Cloud Platform performs more than 1 billion IP scans/audits a year resulting in over 400 billion security events.Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including BT, Dell SecureWorks, Fujitsu, IBM, NTT, Symantec, Verizon, and Wipro. The company is also a founding member of the Council on CyberSecurity and the Cloud Security Alliance (CSA).