Server admins get off easy on October Patch Tuesday

Despite patches for several zero-day vulnerabilities, Windows Server admins get a light workload as Microsoft changes its servicing model.

Administrators worried by the rollout of major change to patching Windows Server systems got off relatively light for October Patch Tuesday, as most of the updates focus on the client operating systems.

Microsoft released 10 security updates in its October Patch Tuesday, including several "zero-day" vulnerabilities, but none of the exploits specifically target the Windows Server operating system. Nevertheless, security analysts say administrators need to follow basic security procedures when using servers to avoid an attack.

Security bulletin MS16-118 closes an exploit that Microsoft rates as moderate, for Internet Explorer 9 on Windows Server 2008, Internet Explorer 10 on Windows Server 2012, and Internet Explorer 11 on Windows Server 2008 R2 and Windows Server 2012 R2 systems. The same exploit gets a critical rating on affected client operating systems. IT shops that follow basic security standards should not be affected.

These patches for Internet Explorer and Microsoft Edge get a lower priority because "we assume all Windows administrators know that they should not browse the Internet on the server," said Amol Sarwate, director of vulnerability labs for Qualys Inc., in Redwood City, Calif.

One other security bulletin that should concern Windows Server administrators is MS16-121 that closes a zero-day vulnerability in Microsoft Office. If an attacker sends a specially crafted RTF file to a user on either a SharePoint Server 2010 or SharePoint Server 2013 system, and that file is opened, the attacker could take control of that machine.

Rolling out a new patch model

Also today, Microsoft debuted its new servicing model for several operating systems including Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. The rollup model mirrors the cumulative update method used in Windows 10 where a collection of patches are bundled in a single package.

This model will not allow individual patches to be installed -- or removed. If a rollup is applied to a system and a significant problem occurs, then the administrator either must wait for a fix or uninstall the entire update.

There are two rollups issued during "B week," or the second Tuesday of the month:  a security quality update that features security patches, and a monthly rollup that includes both security fixes and any stability or feature updates. On the third Tuesday of each month, or "C week," administrators can get a "preview rollup" that includes non-security fixes that will be rolled into the next monthly update. The preview rollup can help administrators test out systems to get an early look at any potential issues before the next "B week" rollup.

Sarwate feels the move to cumulative updates is a good step to provide more stability and security to Windows environments.  "The only drawback [is] that a patch cannot be selectively uninstalled," he said, but he expects Microsoft will refine and improve the process.

"There are lot of legacy systems and lot of legacy ways that people do things," Sarwate said. "There is no one silver bullet to do things that will make everyone happy."

For more information about the remaining October security bulletins, visit the Microsoft Security TechCenter site.

Tom Walat is the site editor for Write to him at [email protected] or follow @TomWalatTT on Twitter.

Dig Deeper on Windows Server troubleshooting