icetray - Fotolia

Light workload awaits admins on November Patch Tuesday

Microsoft said there were no critical vulnerabilities for Windows Server this month, but it issued patches for exploits that could be more damaging in the long run.

Microsoft released updates to close 53 vulnerabilities on November Patch Tuesday. But, of the 14 vulnerabilities that affect Windows Server, none have a critical rating.

All the Windows Server-related vulnerabilities are listed as important, and, per Microsoft's advice with patching, admins should address them as soon as possible.

CVE-2017-11847 uses an elevation of privilege vulnerability in the Windows kernel that affects Windows Server 2008 and up. An attacker who successfully uses this exploit can undertake a range of actions on the server, from deleting data to creating accounts with full user rights.

This vulnerability requires the attacker to first log on to the system, but Microsoft's Exploitability Index Assessment gives it a rating of "Exploitation More Likely," which should spur admins to take action without delay.

"You'd need to have someone who has access to the machines, but that's how a lot of these guys operate these days," said Gill Langston, director of product management at Qualys Inc., based in Redwood City, Calif. "They're in the network for a while and they work their way from machine to machine. In that case, they could get on to that server, they could elevate and then get further access to get more information off the machines."

Several vulnerabilities involve information disclosure in the Windows kernel: CVE-2017-11842, CVE-2017-11849, CVE-2017-11851 and CVE-2017-11853. An attacker can use these vulnerabilities together to compromise a server and attempt to stay undetected for a significant length of time to steal information from an organization.

"The more systems they have access to, the more privilege they have, the more opportunity they have to get into the network and get more information about the network," Langston said. "This definitely wouldn't be one of those crimes of opportunity where they enter remotely and grab some data. It would be a long game."

Semi-Annual Channel release requires adjustments

Microsoft added Windows Server to a Semi-Annual Channel this fall, beginning with Windows Server version 1709. The company plans to release a new edition of Windows Server every six months that targets the needs of businesses that churn out rapid application updates in DevOps environments.

In Windows Server version 1709, Nano Server is a container-based image. It has no servicing stack. To patch Nano Server, admins replace the runtime image with the latest build of the runtime image.

"In the Linux world with containers, you always rebuilt the image with the new packages. I'm not sure on the Windows side if that's completely figured out," Langston said.

As with any new technology, users and vendors will need time to develop those habits.

"It took some time on the Linux container side too," Langston said. "To this day, we talk to people who struggle with their strategy about containerization."

For more information about the remaining security bulletins for November Patch Tuesday, visit Microsoft's Security Update Guide.

Dan Cagen is the associate site editor for Write to him at [email protected].

Next Steps

Admins still adjusting to cumulative update model

How to cope with unruly security updates

Security Update Guide brings growing pains

Dig Deeper on Windows Server troubleshooting