Page 1 of 2
Microsoft's Patch Tuesday software updates will require system reboots just as IT administrators and channel partners are the most nervous about anything that might potentially cause service interruptions.
Furthermore, many of the current vulnerabilities expose the full history of Windows operating systems, leading Alex Horan, senior product manager at CORE Security, to describe this Patch Tuesday as a "Christmas present for the bad guys."
"Cybercriminals are very happy when they can launch one attack across multiple OSes," he said. "This Patch Tuesday has vulnerabilities that are repeated across the entire Microsoft family and affects the core of the OS. So the bad guys can write one exploit and basically attack every Windows machine out there. To write one piece of code and have it work against everything is just Nirvana."
Among the seven bulletins in this month's list, five are marked as critical, as a result of the risk of remote code execution.
Bulletin 4 arguably dominates the pack this month. It involves a critical vulnerability for remote code execution in Exchange 2007 SP3 and 2010 SP1 and 2.
"Both of those systems, by design, face the Internet," said Horan. "They have to in order to accept email. So the attacker no longer has to be in the network or run code on Windows machines. They just have to send an email or connect to the port where you receive email. Restarting the Exchange Server needs to be done at a time when it's not going to impact business, so this one could be somewhat troublesome."
The mission-critical nature of Microsoft Exchange is especially emphasized during the holiday season.
"I think it's fair to say that anybody running Windows is going to need to patch and reboot next week," said Andrew Storms, director of security operations at nCircle. "Every SKU of Windows is affected here in one manner or another. And we're in a time of the year when a lot of people aren't going to want to reboot. They want to focus on sales, and they can't afford any downtime with holiday shopping, so it's tempting to put these on hold and wait until January."
But Storms added that once the specifics of the vulnerability are announced on Tuesday, hackers will immediately be on the lookout for vulnerable pieces of code. "You have to determine the risk for yourself and for your company, and it could be that the mitigation can be executed without much downtime or interruption," he added.
NEXT: A Busy Patch Tuesday