42: The answer to life - and the latest Patch Tuesday number of updates

News by Steve Gold

Microsoft has issued four bulletins covering a total of 42 vulnerabilities, 36 of which are rated critical.

You may have missed Microsoft's Patch Tuesday announcement, owing to new smartphone and smart watch launches from a small Cupertino-based start-up, but this does not lessen their importance.

Alongside the raft of updates, Microsoft is advising users to install vendor patches as soon as they are available, as well as running all software with the least privileges required while still maintaining functionality.

According to security researcher Brian Krebs, the latest Patch Tuesday addresses a wide range of vulnerabilities in Windows, Internet Explorer, Lynch and .NET Framework, with 37 of the 42 addressed in an Internet Explorer update.

Krebs says that even he has experienced troubles installing Patch Tuesday packages along with .NET updates, so he advises users to make every effort to update the .NET patch separately.

"To avoid any complications, I would recommend that Windows users install all other available recommended patches except for the .NET bundle; after installing those updates, restart Windows and then install any pending .NET fixes)," he says in his latest security column.

Over at Rapid7, Ross Barrett, the security vendor's senior manager of security engineering, said that the updates represent a relatively light round of Microsoft patching this month.

The sole critical issue this month, he says, is the expected Internet Explorer roll up affecting all supported (and likely some unsupported) versions.

"This IE roll up addresses 36 privately disclosed Remote Code Execution issues and one publically disclosed Information Disclosure issue which is under limited attack in the wild. This will be the top patching priority for this month," he said.

Of the three non-critical things this month, Barrett adds that two are denial of service issues affecting Lync and Windows/.NET.

"The other is an elevation of privilege issue affecting Windows 8/8.1 and Server 2012 & 2012 R2.  The Lync advisory also addresses an XSS, which could disclose information of a connecting user. Nothing to ignore, but definitely secondary to the IE issue unless it turns out that some or all of these are under active exploitation," he explained.

Karl Sigler, a threat intelligence manager with Trustwave, meanwhile, said that the September Patch Tuesday rollup for Internet Explorer rounds out a summer of IE vulnerabilities with nearly 150 Critical vulnerabilities patched since June.

Tyler Reguly, Tripwire's manager of security research, had a different take on Patch Tuesday, noting that denial of service appears to be the chef's selection of the day with 50 percent of the bulletins resolving remote denial of service vulnerabilities.

"If you are running ASP.NET or send Lync meeting requests to third parties, then these updates are particularly important for your organisation. In some cases, they may even be considered critical - denial of service is not something to be taken lightly," he explained.
Reguly says that, given how few patches enterprises have to install in their Microsoft environments, this might be a good time to do a little IT housekeeping.

"Take the extra cycles that would normally go into testing and applying patches and track down all those old versions of Java on your system. A lot of people are unaware that they exist, so do a little research while these patches install... you might be surprised," he noted.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews