Business braces for heavy Patch Tuesday

IT administrators face a busy month as Microsoft plans to release a bumper security update on 11 November 2014

IT administrators face a busy month at server, desktop and application level as Microsoft plans to release a bumper security update on 11 November 2014.

Microsoft plans to publish 16 bulletins, with five of them allowing remote code execution, according to this month’s advance notification.

This month’s security update covers all versions of Microsoft’s Windows operating system as well as the .Net stack, Microsoft Office, Sharepoint and Exchange.

Businesses should pay immediate attention to the top six bulletins in particular, according to Wolfgang Kandek, chief technology officer of security firm Qualys.

Starting with Bulletin #1, which is rated critical for all version of Windows because of the potential for attackers to exploit the vulnerability to take control of affected machines.

Bulletin #2, is also rated critical and covers all versions of Internet Explorer from IE6 on Windows 2003 to IE11 on Windows 8.1.

Kandek notes that attacks through the browsers are extremely effective, and consequently a whole industry is developing exploit kits to make it easier to carry out such attacks.

Ross Barrett, senior manager of security engineering at Rapid7 said IE is the most exploitable attack vector and the most likely to have already been involved with active attacks in the wild.

Patching mission-critical systems

Bulletin #3 also addresses a remote code execution vulnerability present in all version of Windows, and should be patched as soon as possible.

Bulletin #4 covers a vulnerability rated “critical” on desktop systems,  but “important” on server type operating systems, where some additional mitigation technology is lowering the risk.

Bulletin #5 is rated critical on server type operating systems. However, it has no criticality rating on desktop type systems, which Kandek considers “a bit odd” considering desktop systems seem to contain the vulnerability.

Bulletin #6 is only for Microsoft Word 2007, but addresses a remote code execution vulnerability, and consequently Kandek believes it should be a high priority for businesses running this version of Microsoft Word.

The remaining bulletins are mostly rated important and address Windows, the .Net runtime framework, Word and the SharePoint and Exchange servers.

According to Barrett, Exchange server patching is “always tricky” because the systems are mission-critical and often deployed on the perimeter. 

“Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime,” he said.

This month’s 16 bulletins will bring Microsoft's count for 2014 up to 79, which Kandek notes is a bit lower than the annual total for 2013 and 2011, but on par with 2012.

Read more on Hackers and cybercrime prevention