Yesterday was a big day for Patch Tuesday. It was the last traditional Windows Patch Tuesday as Microsoft is moving to a new patching release model. In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install. Furthermore, these new ‘monthly update packs’ will be combined, so for instance, the November update will include all the patches from October as well.
We have been told by Microsoft that this will start with Windows 10 specifically, but that in theory, it will move to other operating systems as well. There has been criticism over the new patching release method since Microsoft announced the changes in August, but one important item to remember is that Microsoft has changed their course before, so until we see it come out next month, don’t make any drastic changes to your team’s patching methods.
With that being said, we have some interesting updates released this month to go over. Of the thirteen patches released for September, only three were rated critical (compared to the five critical patches out of the nine released in August). Most notably is MS16-104 and MS16-105, two patches which are available for Internet Explorer and Microsoft Edge.
These critical patches are typical in that they are remote code execution vulnerabilities, but if you are running Internet Explorer you must also install MS16-116 to be fully protected. To note, MS16-116 is classified as critical on client operating systems and moderate on servers.
Also of interest is MS16-108 which is a critical update for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, and Microsoft Exchange Server 2016. At this point, the number of enterprises running Microsoft Exchange on-premises is dwindling as many have moved to Office365. Migrating to Office365 can be done by setting up an email cutover migration, though it’s worth noting that transitioning from an established infrastructure to a cloud environment, while offering compelling benefits, will not be without obstacles.
If you are already on Office365, it’s assumed that Microsoft has already rolled this patch out and you can ignore this patch. If you are still running Exchange on premises, this update should be installed soon. However, after installation, it’s worth moving your mail to the cloud.
The next round of patches may be a drastic change from what we’re seeing today, but security teams should be prepared ahead of time and ensure all previous critical updates are completed.