We are looking at a substantial Patch Tuesday from Microsoft for November. Microsoft will publish 16 bulletins, with five of them allowing Remote Code Execution (RCE)- the type of vulnerability that attackers are particularly fond of. Overall the additional 16 bulletins will bring Microsoft’s count up to 79, meaning that we will finish the year under 100 vulnerabilities, which is a bit lower that in 2013 and 2011 and probably on par with 2012.
A big release like this month’s covers all versions of the Windows operating system, both for servers and workstations, the .NET stack, Microsoft Office, Sharepoint and Exchange. Plenty of work for IT admins on all levels, server, desktop and applications, but the focus should be on the top five:
- Bulletin #1 is rated critical for all version of Windows and has RCE potential, i.e. the type of vulnerability that allows an attacker to take control over the affected machine.
- Bulletin #2, critical as well and covers all versions of Internet Explorer IIE from IE6 on Windows 2003 to IE11 on Windows 8.1. This is will be our highest priority bulletin, since attacks through the browser are so effective that a whole industry is developing black market solutions, the so-called Exploit Kits. We track these Exploit Kits separately in our knowledge base and recommend all customers to focus first on vulnerabilities that are in use by these toolkits that make exploitation available to everybody with the necessary budget.
- Bulletin #3 addresses again an RCE type vulnerability present in all version of Windows. Again critical to patch as soon as possible.
- Bulletin #4 covers a vulnerability that is rated critical on desktop systems and only important on server type operating systems, where some additional mitigation technology is lowering the risk.
- Bulletin #5 is a bit odd, and is rated critical on server type operating systems, but has no criticality rating on desktop type systems, even though they seem to contain the vulnerability – we will have to see what is really going on there next Tuesday.
- Bulletin #6 is for Microsoft Word 2007 and addresses an RCE type vulnerability, which should be high on your list of fixes to schedule.
The remaining bulletins are mostly rated important and address Windows, the .NET runtime framework, Word and the SharePoint and Exchange servers. There was not Outside In fix in last month’s Oracle CPU, so we can assume that the exchange vulnerability is in another part of Microsoft’s mail server.
Overall it will be a busy month for IT admins, plus we do not know where security advisory 3010060 from October 21 will be addressed. That advisory covered a vulnerability in the OLE packager that is in use in the wild, but I am not sure we will see a patch for it this month. Stay tuned for more information by checking back on this blog – see you next week.