Microsoft is set to task users with only a relatively light Patch Tuesday next week, with just two critical issues out of a total of six.
The two critical updates fix remote code execution flaws; one for IE6 on Windows Server 2003 and IE7-IE11, and the other patching virtually all versions of Windows still supported.
Ross Barrett, senior manager of security engineering at Rapid7, explained that “OS administration teams will be busy, application administrators get the month off”.
“One of the critical issues is an IE fix. It will be interesting to see just how many CVEs are in this round after the 59 patched in MS14-035. Rather than 59 being the new normal, I expect this round will return to the 8-12 CVEs addressed per IE patch standard,” he added.
“The other critical affects Windows OSes from Vista to latest, excluding Server Core builds. It’s probably not a true no-user-interaction remote, but it could be. These two will undoubtedly be the top patching priorities.”
The remaining updates include three rated “important” by Microsoft which relate to elevation of privilege vulnerabilities in Windows.
As such, the attacker needs to already have a presence on a targeted machine to do any damage, but they should still be treated seriously, according to Qualys CTO Wolfgang Kandek.
“Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers gets an account on the machine, say through stolen credentials,” he wrote in a blog post.
“In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.”
The final update, rated “moderate”, fixes a denial of service vulnerability in the Service Bus for Windows.
Although this product is not installed by default with any OS, “if you have this component you will probably care to patch this before script kids start knocking over your site”, warned Barrett.
Redmond’s security notification process was criticised this week when the firm decided to abandon emailed patch updates in response to strict new anti-spam laws in Canada.
It then appeared to reverse the decision just a day later, after being slammed for taking such a heavy-handed approach.