Some Windows admins may have become a little complacent over the last several months, as Microsoft rocked along, releasing 4 to 8 patches per Patch Tuesday. (For the moment, we’ll overlook the extra work caused by problematic patches that had to be uninstalled). It’s been a while since we’ve had one of those monster months where we felt overwhelmed by the number of security updates that descended upon us on the second Tuesday.
Well, sorry to be the bearer of bad news but that streak of good luck is over. November brings us, along with cooler weather and turkey and dressing (in the U.S.), a total of 16 patches from Microsoft. The somewhat good news is that only five of them are rated as critical, with four of those being remote code execution vulnerabilities and the fifth addressing an elevation of privilege issue. The important and moderate vulnerabilities run the gamut of elevation of privilege, security feature bypass, information disclosure and denial of service.
The vast majority of this month’s plethora of patches (13 of them) apply to the Windows operating systems, with a couple that pertain to Office programs, one to Exchange and one to Windows Server Software. Both Windows client and server are affected, and all supported versions – Vista, Windows 7, Windows 8/8.1, RT/RT 8.1, Server 2003, 2008/2008 R2, 2012/2012 R2 are impacted by one or more of these security updates. Even the server core installations are affected by half of the vulnerabilities. It’s also important to note that Bulletins 1, 2, 4 and 5 also affect Windows Technical Preview (Windows 10) and Windows Server Technical Preview, for those who are testing the yet-to-be-released operating systems. Windows components such as Internet Explorer and .NET Framework are also affected by some of the updates.
It appears that the new versions of Microsoft Office are safe, with Bulletins 6 and 15 reportedly affecting only Microsoft Word 2007 SP3 and IME (Japanese), Word Viewer and the Office Compatibility Pack SP3 (but not Office 2010 and 2013 applications). Bulletins 10 and 12 impact Exchange Server 2007, 2010 and 2013, as well as SharePoint Server 2010 SP2.
There’s going to be a lot here to sort through, and given the functionality problems that we’ve seen caused by some patches in recent months, only the bravest or most fool-hardy network admins will roll out this huge slate of updates in a production environment without doing some testing first. That means many of us are going to have some long hours ahead of us next week.
Microsoft always recommends that before applying any security update, you read all the relevant documentation to determine whether the update is relevant to your environment, won’t cause other problems, whether there are dependencies associated with the update such as certain features being disabled or enabled by the update, as well as any issues related to sequencing of multiple updates. That means a great deal of reading and research when you’re looking at sixteen updates.
In addition, since many of this month’s updates pertain to Windows Server OS, it’s worth mentioning that patch levels need to be consistent across domain controllers, since having different patches on different domain controllers can result in synchronization and replication problems.
Now more than ever, and especially when you’re contemplating a big patch rollout such as this month’s, it is essential that you have a “back out” plan, that is, a procedure for getting your systems back to their pre-patch state if the update process fails or causes major problems and has to be rolled back.
For more information on these “sweet sixteen” patches, check back with us next Tuesday where we’ll have the complete rundown on the vulnerabilities that are addressed. In the meantime, you can check out the official advance notification document on Microsoft’s Technet site.