October’s Patch Tuesday has come and gone, giving companies another set of Microsoft updates. According to CSO Online, this month is light overall, with only six security bulletins and no quality of life (QoL) improvements. But half of the bulletins are marked as critical and handle remote code exploits in Internet Explorer (IE), Edge, VBScript, Windows Shell and Office. And while many companies put off Tuesday installs until Microsoft works out the bugs, experts are warning this is one to deploy ASAP — better to have no treats than big security tricks.
What’s in the Bag?
As noted by Computerworld, the new patch addresses three critical problems: MS15-106, MS15-108 and MS15-109. First up is 106, which deals with memory handling vulnerabilities in MS Explorer. Fourteen memory issues with security permissions for JScript and VBScript in memory are targeted by the patch for IE 7 through IE 11. If left unpatched and exploited, these vulnerabilities could lead to remote code execution attacks. In the same vein as 106 is 108, which deals with four memory problems in Script and VBScript specifically and could also lead to remote code execution.
Last but not least is 109, which targets two privately reported vulnerabilities related to memory corruption and tablet component memory allocation issues. The other three updates are marked important and include fixes for Windows Edge, Office and the Windows Kernel. While some experts are hesitant about applying the kernel patch for fear of breaking more than gets fixed, the balance here favors immediately updating rather than waiting for the next iteration.
Patch Tuesday Encounters the Patch Problem
According to Tech Week Europe, 2015 set the record for the most bulletins released in a calendar year — and there are still two Patch Tuesday updates left. Although the newest crop of updates are higher priority than those in previous months, it’s no wonder some businesses are experiencing a kind of patch fatigue, which sees them habitually ignoring updates because the system is more or less working as intended.
But consider the recent problems of carmaker Volkswagen, which was hit by a firestorm of controversy after it was discovered the manufacturer’s emissions testing devices weren’t playing fair. While software patches alone handled some 30,000 of the issues, another 400,000 aren’t so easy to fix.
Put simply, the problem got away from VW; what could have been a quick fix turned into a massive public relations nightmare. The same goes for companies that hold off on critical patches and updates. At first, problems are rare or minor, and the threat of system-breaking fixes outweighs the benefit of closing security loopholes. Over time, however, small holes become big problems, and companies can find themselves stuck on the wrong side of the patch divide trying to find a way across.
October 2015 marks a big month for Microsoft: 111 bulletins were already released, compared to 2013’s previous high of 106 for the entire year. And while companies might be forgiven for thinking that this particular six-issue patch is more trick than treat, it’s worth applying before fall is in full swing and ghouls and ghosts come out to play. The numbers may be higher, but the threats aren’t just smoke and shadows: It’s better to be protected now than playing catch-up later.