Patch Tuesday: most monthly Microsoft security advisories since 2011

Patch Tuesday, Microsoft’s monthly release of bug fixes, software patches and updates, will this month contain the most security advisories since June 2011 — and according to experts, applying all the patches will be very time-consuming.

November’s Patch Tuesday will include 16 security advisories, five of which are critical Windows fixes.

Affected services include Exchange, SharePoint and the.NET Framework. Applying patches to these will involve thorough testing, increasing how long it will take to get patches applied and return everything to normal.

The five critical Windows fixes focus on blocking potential remote code execution on machines running Windows.

Qualys CTO Wolfgang Kandek has provided a summary of the bulletins:

  • Bulletin 1 is rated ‘critical’ for all versions of Windows and has RCE potential — i.e. it allows an attacker to take control over affected machines.
  • Bulletin 2 is rated ‘critical’ as well and affects all versions of Internet Explorer IIE from IE6 on Windows 2003 to IE11 on Windows 8.1.
  • Bulletin 3 addresses an RCE-type vulnerability present in all version of Windows and is critical to patch as soon as possible.
  • Bulletin 4 covers a vulnerability that is rated ‘critical’ on desktop systems and ‘important’ on server operating systems.
  • Bulletin 5 is rated ‘critical’ on server operating systems but has no such rating on desktop systems, even though they also seem to contain the vulnerability.

“We will have to see what is really going on there next Tuesday,” Kandek says.

Patch management

Applying these patches may be a struggle for organisations without effective patch management processes, but if you have the right people following the right procedures to apply these fixes, then you’re less likely to suffer delays as you protect your systems from attack.

ISO 27001, the international standard that describes best practice for an information security management system (ISMS), encompasses people, process and technology, and is perfect for patch management as it:

  • ensures you have the right people
  • provides the right processes for specific tasks
  • provides the right technology to carry out those tasks.

ISO 27001 is a heavily dependent on documentation, which is why we have created the ISO 27001 Documentation Toolkits. These toolkits contain template documentation that will help you implement ISO 27001 faster and more effectively.

green-papers-infosec-ISO27001