Tackling the Massive Microsoft Patch Tuesday
Patch Tuesday is here, and this month is a whopper. Microsoft has unleashed 17 new security bulletins, addressing a total of 64 separate vulnerabilities. With so many patches to apply, IT admins need to understand the potential impact of each vulnerability to develop a plan of attack for applying the updates.
April of 2010 was a pretty big month for Patch Tuesday as well--with 11 security bulletins. But, as of April of 2010, Microsoft had only released 29 total security bulletins for the year, while this batch of 17 doubles the number of security bulletins for the year and brings Microsoft up to 34 so far in 2011. Of the 17 security bulletins this month, nine are rated as Critical, while the remaining eight are Important.
As I pointed out last week in the heads up article about Microsoft's mammoth Patch Tuesday, the number of updates is more or less irrelevant to most consumers and even small businesses. If you have Automatic Update enabled and configured to download and install the latest Microsoft updates in the middle of the night while you're sleeping, it doesn't really matter if there are two security bulletins, or twenty-two. Either way you wake up to a freshly patched--and probably rebooted--system.
But, for larger companies where IT admins must test patches to ensure they don't conflict with business-critical applications, or cause any issues that might impede productivity, and where the deployment has to be managed and coordinated across hundreds, thousands, or even tens of thousands of PCs, it's another story.
Tyler Reguly, Technical Manager of Security Research and Development for nCircle, commented, "When I take a look at the list of bulletins for today, only one word comes to mind: overwhelming. I'm glad I only have to develop detection of these vulnerabilities once and not apply the patches to thousands of systems."
Joshua Talbot, security intelligence manager, Symantec Security Response, points out that Microsoft sets a record this month with 30 separate vulnerabilities being addressed in a single patch update. MS11-034 addresses 30 privilege escalation issues within Windows kernel-mode drivers.
"The most important patches this month are part of the cumulative security update for Internet Explorer," according to Talbot. "The majority of the vulnerabilities fixed affect IE 6, 7 and 8; this translates to an extremely wide install base of affected software. The fact they are also all drive-by download issues--where a user simply has to visit a compromised Website for the vulnerability to be exploited--also increases their severity."
nCircle Director of Security Operations, Andrew Storms, agrees that Cumulative Security Update for Internet Explorer (MS11-018) is a crucial update to apply, but also considers the SMB patches to be just as urgent.
Storms explains that two of the flaws addressed in the IE update are already being targeted with exploits, so it is critical to get that update applied. But, he also stresses that at least one of the SMB flaws is "network aware" and could be used to create a worm like Conficker which spread tenaciously across networks around the world.
Storms says, "If I absolutely had to pick between the two bugs, I would patch IE first and then immediately patch SMB. You can't delay either of these two patches this month."
Each network environment and Microsoft infrastructure is unique, though. It is up to individual IT and security administrators to determine the exposure to, and potential impact from attacks that might exploit these vulnerabilities, and to prioritize the patch order based on that risk analysis. The bottom line, though, is that there are a lot of patches this month, and a lot of them are urgent, so don't waste too much time. Get patching.