September will be a busy month for IT admins after Microsoft released 14 fixes including seven critical ones for them to install this Patch Tuesday – the last of its kind before the servicing changes are made.
Security teams should start with the patches which address bugs actively being exploited in all current versions of IE, urged Heat Software product manager, Todd Schell.
“If your users still rely on the popular browser, apply cumulative update MS16-104 right away. You never know when one of your users may hit a malicious webpage resulting in unwanted code execution,” he added.
“While you’re at it, you might as well address MS16-116 too; it is a critical update in the OLE Automation for VBScript that also requires the patch provided by MS16-104. For those of you that use Microsoft Edge, that browser also has a cumulative update this month with MS16-105 and it too is rated critical.”
Others to consider are MS16-107, which fixes RCE bugs in Office; MS16-106, relating to RCE issues in Microsoft Graphics Component; MS16-108, which fixes an RCE issue in Microsoft Exchange Server; and MS16-117 – the obligatory Adobe Flash Player update.
The latter – also described in APSB16-29 – fixes 29 flaws in the buggy Adobe software which kick in when it’s started on recent versions of Windows.
Tripwire manager, Tyler Reguly, pointed out that Microsoft has also released a vulnerability with no CVE assigned, in the ASP.NET Core View Components.
Although there isn’t a patch available, developers must take heed, he warned.
“Vulnerabilities like this, that rely on changes to code and redeployment, are often overlooked because they don't get the same attention or update process that traditional vulnerabilities detailed in security bulletins do,” Reguly added.
“A vulnerability is a vulnerability though and this advisory (3181759) is a good reminder of why system and info sec admins should pay attention to both bulletins and advisories.”
This Patch Tuesday is the last before Microsoft changes things around so that pre-Windows 10 shops won’t be able to pick and choose which patches to install, but instead will be forced onto bundled updates.
Chris Goettl, product manager at Shavlik, argued that this would make it more important to test prior to patching.
“Companies will have to do more rigorous application compatibility testing to ensure things to don't break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues,” he explained.
“Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.