Microsoft will release 16 security bulletins next week, five of which are rated as critical.
Patching flaws in Windows, Internet Explorer, Office, Exchange and the .NET Framework, the five critical patches all affect Windows, while the second bulletin affects both Windows and Explorer.
Russ Ernst, director of product management at Lumension, said: “We have enjoyed a relatively low number of patches each month in 2014, but November definitely takes a big jump up. We have to go back to June 2011 for the last time Microsoft released this many bulletins in a single month, although in that month there were nine critical bulletins.
“The most recent monthly update that included nearly this many bulletins was when Microsoft released 14 bulletins back in September 2013. Next week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise.”
Karl Sigler, threat intelligence manager at Trustwave, said: “One of these bulletins may potentially address a critical Windows OLE remote code execution vulnerability. As you might recall, Microsoft published a security bulletin last Patch Tuesday to close a zero day hole being exploited in targeted attacks in the wild.
“The vulnerability was in OLE, and attackers were exploiting it with a specially crafted PowerPoint document. Unfortunately the patch for CVE-2014-4114 did not cover the vulnerability entirely and exploits continued to succeed.
“Microsoft addressed this with some workarounds and Fix-IT released in security advisory 3010060. Although Microsoft mentioned that an out-of-band security update might be necessary due to the severity of this vulnerability, it seems likely now that Microsoft will wait and include this security update in the November release on Tuesday.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “The patching priority will follow the critical issues, with the Internet Explorer patch being the most exploitable attack vector and the most likely to have already been involved with active attacks in the wild.
“Exchange server patching is always tricky because the systems are mission critical and often deployed on the perimeter. Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”
