This content is part of the Essential Guide: Catch up on the Windows Server patches of 2017

Microsoft cumulative updates bring security, frustration

One year in, Microsoft's cumulative updates model has made enterprise IT systems more secure, but forced administrators to adjust their patching process.

A year ago, on October Patch Tuesday, Microsoft upended its customers' monthly security routine when it aligned all supported operating systems to a cumulative updates model -- and admins finally have begun to find their footing.

In the old format, administrators could prioritize Microsoft's critical updates and deploy those as soon as possible. However, this "Swiss cheese" approach -- a term used by Windows Server principal program manager Jeff Woolsey at the company's Ignite 2017 conference -- meant admins could pick and choose which vulnerabilities to address. The end result was some systems did not get updates they needed.

Microsoft expanded the cumulative updates model beyond Windows 10 in October 2016 to limit administrators to an all-or-nothing choice. Rather than select which patches to deploy first, the rollup model makes admins determine which systems get patching priority.

"Things have stabilized, and Microsoft has probably achieved their goal at this point of simplifying the process," said Todd Schell, product manager at Ivanti, an IT security company in South Jordan, Utah. "With these cumulative updates, you don't have to worry about testing all these individual updates."

While the blanket approach of the Microsoft cumulative updates model secures systems against all vulnerabilities, admins need a larger test environment and must spend more time to vet every update before deployment.

"Definitely, I think there's frustration," Schell said. "This is only one of their jobs for a lot of these people, so the time being tied up adds to the frustration factor."

Most businesses have adapted to the Microsoft cumulative updates model, which has led to a faster update deployment rate, Schell said. And, as a result, Windows systems are more secure than a year ago, Woolsey reported at Ignite.

"You can't miss one patch now and say, 'Whoops, we only deployed 10 of the 11 patches,'" said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif. "It's a lot easier to get more updates deployed."

Watch out for the Search vulnerability

On the anniversary of Microsoft's cumulative updates model, this year's October Patch Tuesday includes updates for 62 vulnerabilities, 30 of which affect Windows systems.

While the blanket approach of the Microsoft cumulative updates model secures systems against all vulnerabilities, admins need a larger test environment and must spend more time to vet every update before deployment.

Graham said the most important item for Windows Server administrators is CVE-2017-11771, a critical vulnerability that affects Windows Server 2008 and up. This remote code execution exploit lets an unauthenticated intruder use a memory-handling flaw in the Windows Search service to overtake a machine.

CVE-2017-11771 is similar to vulnerabilities Microsoft patched in June, July and August that closed flaws in the Server Message Block protocol. While CVE-2017-11771 is SMB-related, it is not similar to the exploits used in the WannaCry attacks in spring 2017.

"It could be that [Microsoft] is looking at anything related to SMB," Schell said.

Microsoft also released two updates on October Patch Tuesday that address similar critical vulnerabilities in Windows Server 2008 and up. CVE-2017-11762 and CVE-2017-11763 are remote code execution vulnerabilities in the Windows font library. On an unpatched system, an attacker gains access via a web-based attack or with a malicious file on a server that a user opens.

"It's one of those backdoors that you don't think about too often," Schell said.

Microsoft also flagged CVE-2017-11779 as critical, a remote code execution vulnerability in Windows Domain Name System that affects Windows Server 2012 and up. To capitalize on the exploit, the attacker sends corrupted DNS responses to a system from a malicious DNS server.

In addition, Microsoft closed a zero-day vulnerability in Microsoft Office in CVE-2017-11826. An attacker inserts malicious code in an Office document that, once opened, hands over control of the system.

For more information about the remaining security bulletins for October Patch Tuesday, visit Microsoft's Security Update Guide.

Dan Cagen is the associate site editor for Write to him at [email protected].

Next Steps

How to handle bad security updates

Streamline your patching process

How to adapt to Microsoft's patching model

Dig Deeper on Windows Server troubleshooting