Huge Patch Tuesday Update Tackles Critical Bugs

Microsoft has released a massive Patch Tuesday security update that includes fixes for critical vulnerabilities, including one that is 19 years old.

The patch Tuesday update includes 16 security bulletins, a number of which are rated critical. The most important update is MS14-064, which addresses a very old flaw that affects all supported versions of the Windows operating system, including Windows XP.

Zero-Day Flaws

The mammoth Patch Tuesday update has led to many experts to warn Windows users should download and install the update as soon as possible. This is because five of the sixteen security bulletins address Remote Code Execution (RCE), a type of vulnerability that allows attackers to take control of a machine.

A number of bulletins are rated critical and affect either Windows or Internet Explorer flaws. Other bulletins are rated as important and address Windows, the .NET runtime framework, Word and the SharePoint and Exchange servers.

“We are looking at a substantial Patch Tuesday from Microsoft for November,” blogged Wolfgang Kandek, CTO, Qualys. “Microsoft will publish 16 bulletins, with five of them allowing Remote Code Execution (RCE)- the type of vulnerability that attackers are particularly fond of. Overall the additional 16 bulletins will bring Microsoft’s count up to 79, meaning that we will finish the year under 100 vulnerabilities, which is a bit lower that in 2013 and 2011 and probably on par with 2012.”

“Overall it will be a busy month for IT admins, plus we do not know where security advisory 3010060 from October 21 will be addressed,” wrote Kandek. “That advisory covered a vulnerability in the OLE packager that is in use in the wild, but I am not sure we will see a patch for it this month.”

Critical updates

“Patch Tuesday is coming in hot this month with 15 advisories, of which 4 are listed as critical,” said Ross Barrett, senior manager of security engineering at Rapid7. “The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE.”

“After MS14-064, attention belongs on MS14-065 and MS14-066, Internet Explorer and SChannel respectively,” he added.

Last month, researchers revealed that Russian hackers had been using Sandworm to attack organisations including NATO, Ukrainian and European governments in a campaign going back at least to 2009.

Last month, Microsoft pulled one of the updates from its October Patch Tuesday release and recommended anyone who downloaded the fix should uninstall it.

Some users complained of “issues” after the update added support for the SHA-2 signing and verification functionality to Windows 7 and Windows Server 2008 R2 machines with the intent of improving security over the more vulnerable SHA-1 hashing algorithm.

Are you a security expert? Try our quiz!