Server administrators should give particular attention to several of the 14 security bulletins in Microsoft's November...
Patch Tuesday, including a rare SQL Server patch and the well-publicized zero-day exploit. Last month's major change in how administrators apply updates, however, has not wrought the havoc some had feared.
"I talked with a few people, and there was interestingly not much reaction either way -- either good or bad," said Amol Sarwate, director of vulnerability labs for Qualys Inc., in Redwood City, Calif. There may be more of an uproar in the future, he added, if a rollup causes serious compatibility issues that affect a wide number of users.
Microsoft introduced its rollup patching system last month for several operating systems, including Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016, which was released to general availability on Oct. 25.
Before the October changes, administrators could add and remove individual patches if problems arose. The rollup model removes this flexibility by putting all security and nonsecurity updates into a single package, similar to the cumulative update model used for the Windows 10 client operating system. Microsoft said the rollup model should reduce issues from fragmentation, where systems can have different updates that could lead to problems, such as increased scan times and dependency errors.
Depending on the severity of the issue with a system after applying a rollup, the administrator can wait for Microsoft -- or a third-party vendor -- to deliver a fix or uninstall the update themselves.
Three updates for Windows Server administrators
For this month's fixes, server administrators should be aware of six vulnerabilities in several SQL Server components that Microsoft addressed in bulletin MS16-136, Sarwate said. On an unpatched system, an attacker could take advantage of a vulnerability to gain elevated privileges, then manipulate data or create a new account. While not a critical update, this warrants special attention due to the rarity of patches for this particular product.
"SQL Server doesn't get patched very often," maybe once or twice a year, but "it does have some vulnerabilities," Sarwate said.
Microsoft closed a zero-day vulnerability with security bulletin MS16-135. The update closes a hole in kernel-mode drivers in all supported releases of Windows. While only rated important by Microsoft, the bulletin caught Sarwate's interest because it has been actively exploited in the wild. The vulnerability got widespread attention after Google publicized it in a blog on Oct. 31.
"It affects the kernel, and there had been no patches for it so far. I think it is an important patch for servers, as well as desktops," Sarwate said.
The final patch worthy of consideration from server administrators is MS16-130, which is a critical bulletin affecting all supported releases of Windows. The update closes exploits in several core Windows components, such as Task Scheduler and how Windows loads dynamic-link libraries. Sarwate said most administrators know they should not open image files, which could trigger the exploit on an unpatched server operating system, but should apply the patch to be safe.
New servicing model comes with new terminology
In addition to the technical changes, Microsoft has changed the terminology of the patching schedules. The second Tuesday of the month -- commonly known as Patch Tuesday -- Microsoft now calls its B week update. Microsoft refers to the third Tuesday of the month as the C week update, when administrators can get a preview rollup of nonsecurity fixes coming in the next B week update. Theoretically, this preview will allow IT to apply this update to systems in a testing environment to check for potential issues.
There are two rollups issued during B week: a "security-only quality update," consisting of new security fixes for the month, and a "security monthly quality rollup" that includes the security fixes for the current month and all previous monthly rollups.
For more information about the remaining security bulletins for November Patch Tuesday, visit the Microsoft's Security TechCenter site.
What to do when faced with a bad security update
Microsoft's new servicing model a curse or blessing?
How to patch servers without wasting time