Microsoft is issuing the largest number of monthly security advisories since June 2011, five of them critical and affecting all supported versions of Windows. And applying the patches will be time consuming, experts say.
"Next week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise," says Russ Ernst, the director of product management for Lumension.
+[Also on Network World: Microsoft Office advancements are a boost for BYOD programs]+
Generally, Microsoft alternates between patching Windows and updating applications in order to keep down the number of machines that need attention each month, says Chris Goettl, a product manager with Shavlik. This batch includes critical updates for .NET Framework, Office 2007, Exchange and SharePoint.
"Exchange and SharePoint being in the mix means that there will be a need for some thorough testing before rolling out updates," he says. ".NET Framework also is getting an update this month, which usually means a little longer time on the maintenance window as those patches tend to take a little longer than the average OS patch to install."
Also in the mix this month is Windows 10, formally Windows Technical Preview, which is in line for five updates ranked critical, says Goettl. "It would be a good idea to run this and see how well the patches apply. The updates will be available through Windows Update and Microsoft is encouraging people to apply them," he says.
The five critical bulletins are about fixes to block potential remote code execution on victimized machines, says Qualys CTO Wolfgang Kandek. Here is his summary of these bulletins:
- Bulletin 1 is rated critical for all version of Windows and has RCE potential, i.e. the type of vulnerability that allows an attacker to take control over the affected machine.
- Bulletin 2, critical as well and covers all versions of Internet Explorer IIE from IE6 on Windows 2003 to IE11 on Windows 8.1.
- Bulletin 3 addresses an RCE type vulnerability present in all version of Windows and is critical to patch as soon as possible.
- Bulletin 4 covers a vulnerability that is rated critical on desktop systems and important on server operating systems.
- Bulletin 5 is rated critical on server operating systems but has no criticality rating on desktop systems, even though they seem to contain the vulnerability. "We will have to see what is really going on there next Tuesday," he says.
The advanced security bulletins include nine that are ranked important, which means they require user action in order to be exploited. They address vulnerabilities in Windows, Windows Server, Exchange, and .NET Framework. Possible exploits include elevation of privilege, remote code execution, security feature bypass and information disclosure.
The remaining bulleting is ranked moderate and could result in denial of service attacks against Windows.
Tim Greene covers security and keeps an eye on Microsoft for Network World. Reach him at firstname.lastname@example.org and follow him on Twitter@Tim_Greene.