icetray - Fotolia

On December Patch Tuesday, Microsoft unwraps more changes to patching

Microsoft delivers 12 patches and adjusts its operating system servicing model for administrators who want security-only updates separate from the monthly quality rollup.

Windows Server administrators received a relatively light December Patch Tuesday and an early holiday present: an adjusted cumulative patch model in response to customer feedback.

Most of the 12 security bulletins this month address critical vulnerabilities in the Windows desktop operating systems. Window Server administrators should focus on security bulletin MS15-155, which closes an exploit in .NET Framework 4.6.2.

"The .NET vulnerability is something a server administrator should take a look at, especially because there was one vulnerability in there that was publicly disclosed," said Amol Sarwate, director of vulnerability labs for Qualys Inc., in Redwood City, Calif.

While Microsoft rates most of the other updates that affect Windows Server systems as important -- such as the kernel-related vulnerabilities in bulletins MS-150, MS-151 and MS-152 -- they do not present a significant threat to the data center, Sarwate said.

"They are elevation-of-privilege issues, where the attacker needs some kind of privilege to execute or exploit them," Sarwate said. "These exploits only cause information disclosure, which means they do not cause any compromise right away. They could leak addresses in memory or things like that, [which] could be used in further attacks."

Microsoft adjusts patching model again

Despite concerns from administrators, Microsoft's changes to its patching model for several operating systems -- including Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 -- have been relatively uneventful since the switch in October.

Rather than issue a number of updates that are selectively installed, the rollup model consists of a single update that contains multiple patches for security, reliability and bugs. This model aligns older operating systems -- which also include Windows 7 and Windows 8.1 -- with the one used in Windows 10. Microsoft also provides a separate security-only update that includes just the security fixes for the month.

Each monthly rollup supersedes the previous one and includes all updates from previous monthly rollups. But prior to December Patch Tuesday, Microsoft would supersede the previous monthly security-only update with the current monthly rollup, which left administrators who use Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) 2007 unable to apply just the security-only update they wanted. The patching schedule for Windows Server 2016 differs slightly, with security-only updates coming on the second Tuesday of every month and quality monthly rollups coming on the fourth Tuesday of each month.

In a ConfigMgrDogs blog on the TechNet site, Microsoft engineer Scott Breen explained the "supersedence relationship for updates" would change to accommodate customers who use WSUS or SCCM 2007, and Microsoft would stop superseding security-only updates in December. With this change, companies that use WSUS or SCCM 2007 can now:

  • Selectively install Security Only Quality Updates -- bundled by month -- at any time;
  • Periodically deploy the Security Monthly Quality Rollup and only deploy the Security Only Quality Updates since then; and
  • More easily monitor software update compliance using Configuration Manager or WSUS.

Microsoft ends year with increase in security bulletins

Microsoft capped the year with 155 security bulletins, an increase of almost 15% over the 135 bulletins released in 2015. With threats on the rise, administrators should adopt security procedures or reinforce existing ones in 2017 to prevent systems from falling to an attack, Sarwate said.

Sarwate's recommendations for administrators include:

  • Follow standard protocol. "Do not use desktop-like behavior on servers. ... Do not use a browser to search for anything or open emails."
  • Stay current with patches. "Patching is still the cheapest, the most effective measure that organizations can take to prevent breaches and attacks."
  • Stay informed. "Subscribe to some sort of security feed or security newsletter or an alerting system that informs administrators about zero-days or exploit kits or attacks happening in the wild. If systems are already up to date, the administrator can focus on things for which patches are not available.

For more information about the remaining security bulletins for December Patch Tuesday, visit Microsoft's Security TechCenter site.

Tom Walat is the site editor for SearchWindowsServer. Write to him at [email protected] or follow him @TomWalatTT on Twitter.

Next Steps

How can admins deal with bad security updates?

New servicing model comes with tradeoffs

How to patch servers more effectively

Dig Deeper on Windows Server troubleshooting