Microsoft will release 16 bulletins, including five critical fixes, during its monthly Patch Tuesday update next week.
In addition to its five critical patches, nine are “important” fixes and two are “moderate," according to Microsoft's preview post on the updates. Most of the critical fixes address remote code execution (RCE) vulnerabilities in Windows, although one does tackle an elevation of privilege issue that could let an application have more privileges than intended, thus allowing it to perform unauthorized actions.
This month's bulletins affect Windows, Internet Explorer, the company's .NET Framework, Microsoft Office, and its server software. November's Patch Tuesday is the largest since September 2013, when Microsoft released 14 bulletins.
Russ Ernst, director, product management, Lumension, noted in prepared comments sent to SCMagazine.com that this Patch Tuesday will have a “big impact” on the enterprise, and also said the fixes correlate with Microsoft's recent decision to stop selling Windows 7 and 9 to and through retailers.
“This is clearly one step to get people off old code, and from a vulnerability management perspective anyway, we have to applaud the effort,” Ernst said. “Also on their list to update, I'm sure, is large install base on Windows Server 2003 as end of life is next year.”
Microsoft ran into issues with its October Patch Tuesday after one of its fixes still left users vulnerable. The original bug, CVE-2014-4114, allowed attackers to exploit a zero-day flaw. A week after releasing a bulletin, though, the company issued a temporary fix for the bug, after assigning it a new ID, CVE-2014-6352.
