Microsoft’s September Patch Tuesday offering, which included 14 bulletins covering 60 vulnerabilities or almost twice as many as were issued in August, is the last to be delivered under this update system with the company moving to a “monthly rollup” delivery mechanism starting in October.
Microsoft announced in August that it would institute the “monthly rollup” for its October update that will include security issues and reliability issues in a single update instead of putting out a series of updates from which system administrators can pick and choose. Microsoft believes this will make life easier for admins and make Windows more reliable by eliminating update fragmentation.
However, not everyone agrees with Microsoft’s line of thought. Craig Young, security researcher at Tripwire, told SCMagazine.com that while a cumulative patch does make things easier for consumers and IT staffers there are some pitfalls. The first being the inability to roll back a specific patch that was not compatible, while retaining the good updates.
“Under a completely cumulative patching model however this is not possible and a serious application interaction could force users to stay on outdated code until the interaction is resolved. When this happens as it did earlier this year when updates from Microsoft proved incompatible with certain software from Citrix, it is a serious problem for enterprises looking to balance risk and business continuity,” Young said.
Amol Sarwate, director of Vulnerability Labs at Qualys, told SCMagazine.com in an email, agreed with Young’s points, but brought up another issue.
“Another point to note is that previously shipped patches will not be included in the October roll-up and will instead be eventually rolled up in the upcoming year or so. This may create more work in the short run for administrators to keep track of which past KB is rolled up in each month’s update,” he said.
Seven of the bulletins are rated “critical” with the remainder considered “important” with 10 of the vulnerabilities containing potential remote code execution issues with various Microsoft products. Several of the bulletins stood out as particularly important with Bobby Kuzma, CISSP, systems engineer at Core Security, pointing toward MS16-108 as deserving attention.
“I’m cringing as I read the description of this vulnerability… Remote Code Execution or Information disclosure via specially crafted attachments, including Meeting Invitation requests… across Exchange 2007, 2010, 2013… And 2016? To be fair, it is an issue with an Oracle provided library, but still,” he told SCMagazine.com in an emailed statement.
MS16-104, MS16-105, MS16-106, MS16-107, MS16-116 and MS16-117 were the other critically rated bulletins.
A zero-day vulnerability is also included CVE-2016-3352, under MS16-110, said Sarwate.
A couple of the non-critical updates caught the eye of another Core Security researcher as being out of the ordinary.
“There’s a windows lock screen escalation of privilege fix MS16-112 as well as an update to Microsoft SMB server MS16-114 that could allow remote access to an attacker sending malicious messages to the SMBv1 server. Definitely consider how these surfaces are exposed in your organization,” he told SCMagazine.com in an email.