Microsoft Prepares for Mega Patch Tuesday with 16 Bulletins

System administrators beware: next week will see the biggest Patch Tuesday so far this year, with 16 bulletins scheduled including five critical updates.

The patch load comes within a bulletin of the all-time record of 17, set in 2011, and easily trumps the biggest so far this year of nine, set in May and August.

Four of the critical patches will fix problems that could lead to a remote code execution attack, while the remaining one relates to an elevation of privilege problem.

Seven bulletins in total fix this issue.

“Every supported version of Windows is impacted by the five critical issues, with the minor exception of Server Core not having Internet Explorer exposure,” said Ross Barrett, senior manager of security engineering at Rapid7. 

“In the remaining advisories MS Office 2007, .NET, SharePoint 2010, and Exchange 2007, 2010 and 2013 are all impacted.”

Bulletin 2, which fixes an issue in Internet Explorer versions 6-11, should be prioritized as it is the most likely to have been exploited already in the wild, he added.

“Exchange server patching is always tricky because the systems are mission critical and often deployed on the perimeter,” said Barrett. “Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”

Karl Sigler, threat intelligence manager at Trustwave, explained that one of the critical bulletins may address a Windows OLE remote code execution flaw which has already been exploited by attackers in a specially crafted malicious PowerPoint document.

“Unfortunately the patch for CVE-2014-4114 did not cover the vulnerability entirely and exploits continued to succeed. Microsoft addressed this with some workarounds and Fix-IT released in security advisory 3010060,” he added.

“Although Microsoft mentioned that an out-of-band security update might be necessary due to the severity of this vulnerability, it seems likely now that Microsoft will wait and include this security update in the November release on Tuesday.”

What’s Hot on Infosecurity Magazine?