Microsoft is already notifying IT managers and the general public that the upcoming “Patch Tuesday” will go down as the largest on record, with a total of seventeen updates being issued… two of them critical updates. They want the word to get out well prior to the drop so that people in corporate environments will have time to plan their patch implementation.
One of December’s patches is rated critical for all versions of Windows and Internet Explorer (IE). Additionally, one security vulnerability that Microsoft will fix Tuesday is a zero-day flaw that affects IE which was discovered just before November’s Patch Tuesday drop. The flaw in IE 6, 7, and 8 could let an attack program completely compromise the user’s system. Microsoft published a Security Advisory at the time that included workarounds for IE 8, and said it was working on a fix for the problem.
Only one of Tuesday’s patches are rated as “moderate” importance. The remainder are either critical or important. Eight of them will require a reboot of the system. The various patches cover security issues within Windows, Office, Internet Explorer, SharePoint and Exchange. Ten of them cover remote code execution, although there are also vulnerabilities that could result in Denial of Service attacks against Windows and Exchange.
This large patch drop is a problem for many companies. Staffing is short at this time of year due to holidays, so there may not be available manpower in order to actually get the bulletins downloaded and installed onto machines. Additionally, several businesses don’t allow patch updates during the last month or two of the year. Companies cannot afford downtime during year-end due to bad patching screwing things up. If the updates out on Tuesday are critical ones to fix security issues, are these companies better off waiting – or taking a chance and patching? What do you think?