Patch Tuesday Advanced Notification November 2014
It looks like this is going to be the biggest month yet for Microsoft, as it has announced 16 bulletins. This is the highest bulletin count we have seen from Microsoft this year. August and May each had nine bulletins. Nothing has come close to this until now for this year. Of the 16 bulletins announced, five are critical.
We can most likely expect bulletin 2 to be a continuation of the IE Critical update trend, which is likely to resolve more than 10 vulnerabilities relating to memory leaks, corruption, etc. This is a trend we have seen since June of this year and we have no reason to not expect this to be the case.
There is still the Security Advisory 3010060 (CVE-2014-6352), released on October 21, regarding the vulnerability in Microsoft OLE, that has not been patched, which was leading to attacks in the wild for Excel and PowerPoint. It is possible that two of the updates could apply to this vulnerability. Bulletin 6 for Office could be resolving part of the vulnerability and likely one of the critical windows patches is resolving the OS level.
Although Microsoft usually staggers its patches, alternating between OS and app updates, it looks like nearly all machines will have at least a few critical updates to apply, including .NET Framework, Office 2007, Exchange and SharePoint. Exchange and SharePoint being in the mix means that there will be a need for some thorough testing before rolling out updates. .NET Framework also is getting an update this month, which usually means a little longer time on the maintenance window as those patches tend to take a little longer than the average OS patch to install.
Microsoft is making bulletins 1, 2, 4, and 5 available for the Windows Technical Preview and Windows Server Technical Preview, which means that Windows 10 and Server Previews will have updates available. It would be a good idea to run this and see how well the patches apply. The updates will be available through Windows Update and Microsoft is encouraging people to apply them.
On the non-Microsoft front, there is a high likelihood for an Adobe Flash update this Patch Tuesday. So far this year, we have seen Flash release on all but one Patch Tuesday. With that, you can expect an IE Advisory to update the plug-in, as well as a Google Chrome release for the same reason.
Microsoft Security Bulletins:
- 5 bulletins are rated as Critical.
- 8 bulletins are rated as Important
- 2 bulletin is rated as Moderate
Vulnerability Impact:
- 5 bulletins address vulnerabilities which could allow Remote Code Execution.
- 2 bulletins address vulnerabilities which could result in Security Feature Bypass.
- 7 bulletins address vulnerabilities which could allow Elevation of Privileges.
- 1 bulletin addresses a vulnerability which could lead to Information Disclosure.
- 1 bulletin addresses a vulnerability which could lead to a Denial of Service attack.
Affected Products:
- All supported Windows Operating Systems (Including the Technical Previews!)
- All supported Internet Explorer versions.
- Microsoft .Net Framework
- Microsoft Office 2007
- Microsoft SharePoint Server 2010
- Microsoft Exchange 2007, 2010, and 2013
Join us as we review the Microsoft and third-party releases for November Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, November 12th at 10 a.m. CDT. We will also discuss other product and patch releases since the October Patch Tuesday.
You can register for the Patch Tuesday webinar here.