Microsoft Puts Out First Monthly Security Bulletin

Microsoft on Wednesday issued the first of its new monthly security bulletins. The first installment is a blockbuster, fixing seven vulnerabilities, five of them critical. Five vulnerabilities involve Windows and two vulnerabilities affect Exchange.

The big group of patches comes less than a week after CEO Steve Ballmer unveiled the new monthly patching program. Previously, Microsoft released security bulletins on Wednesdays, although the software giant often skipped weeks if it had no patches to deliver or released patches on other days of the week if they were urgent enough. Microsoft still reserves the option to release a patch for an especially severe problem at any time.

Official reasons for the new process include a predictable schedule to help customers build Microsoft system patching into their regular IT duties and more time between patches to give customers long enough to evaluate, test and install patches.

"A major benefit of switching to a monthly release cycle for security patches is that it allows customers to install multiple patches with a single install and single reboot," Microsoft added in a white paper on the new process.

Microsoft seems to be betting that making the process more regular and encouraging users to plan on it every month will give legitimate users an edge against hackers. In many cases, the posting of a Microsoft security bulletin has served as the starting line for a race in which IT departments struggle to get their systems patched as hackers hurry to reverse engineer the vulnerability to create exploits that can be dropped into automated attack tools.

After the initial monthly patch on Wednesday, Microsoft plans to hold future regular patching days on the second Tuesday of every month.

Seven New Vulnerabilities

On the first official release date of Microsoft's new patching process, Microsoft put out seven security bulletins. Microsoft has apparently been saving them up for some time. The software giant last published a security bulletin on its regular Wednesday schedule five weeks ago on Sept. 10. Microsoft did put out a special, urgent cumulative bulletin for Internet Explorer a week and a half ago on Oct. 3, however. (See story).

Among the seven bulletins released Wednesday, five dealt with problems in Windows. Four of those were critical problems that could result in an attacker remotely taking control of a user's machine or a server. Another Windows problem that could also allow remote code execution was rated important.

An executive summary of the Windows flaws with links to the individual Windows bulletins and patches was available here.

Microsoft also disclosed two newly discovered flaws in Exchange servers -- one critical, one moderate. Both flaws could result in an attacker gaining control of the server. The summary with links to those security bulletins was available here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.