With 14 security updates that include fixes for 33 separately identified security holes, 14 new nonsecurity patches, two changes to the installers for older security patches, and three changes for older nonsecurity updates, November's Black Tuesday is going down as one of the weightiest ever. But the patches themselves are only part of the story.
This month's Black Tuesday patches started out with an odd -- though hopeful -- sign. Microsoft voluntarily pulled two Security Bulletins (with an unknown number of associated patches) before they were released. Both MS14-068 and MS14-075 are listed in the official Security Bulletin summary as "Release date to be determined." I've never seen that designation before. Presumably Microsoft caught bugs in the patches and pulled them at the last minute. If so, that's a very positive development.
Today's updates includes KB3003743 and with it comes termsrv.dll version 6.1.7601.18637
Jason Hart has also tweeted that KB 3003743 kills NComputing's virtualization software.
This sounds reminiscent of the problems caused last month by KB 2984972, which also clobbered concurrent RDP sessions on some machines. The easy solution last month was to uninstall the patch, and RDP started working again. Microsoft has a far more complex solution in the KB 2984972 article. There's no indication at this point if the manual solution works with KB 3003743. I also haven't heard if any App-V packages are affected -- another hallmark of the bad KB 2984872 patch last month.
If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation. Yes, EMET 5.1 was just released on Monday.
There's some concern in the press that the newly fixed "schannel" bug may be as pervasive and exploitable as the infamous OpenSSL Heartbleed hole discovered earlier this year.
No doubt, you should install MS14-066/KB 2992611 on any Windows machine that runs a Web server, FTP server, or email server -- sooner, rather than later. But do you need to drop everything and patch your servers this instant? Opinions vary.
The SANS Internet Storm Center, which usually takes a very proactive patching stance, is hedging its bets with this one. SANS has MS14-066 listed as "Critical" instead of the more-dire "Patch Now." Dr. Johannes Ullrich goes on to say:
My guess is that you probably have a week, maybe less, to patch your systems before an exploit is released. You got a good inventory of your systems? Then you are in good shape to make this work. For the rest (vast majority?): While you patch, also figure out counter measures and alternative emergency configurations.
The most likely target are SSL services that are reachable from the outside: Web and Mail Servers would be on the top of my list. But it can't hurt to check the report from your last external scan of your infrastructure to see if you got anything else. Probably a good idea to repeat this scan if you haven't scheduled it regularly.
Next move on to internal servers. They are a bit harder to reach, but remember that you only need one internal infected workstation to expose them.
Third: Traveling laptops and the like that leave your perimeter. They should already be locked down, and are unlikely to listen for inbound SSL connections, but can't hurt to double check. Some odd SSL VPN? Maybe some instant messenger software? A quick port scan should tell you more.
A smattering of urban mythology is already forming around schannel. You may read in the press that the schannel security hole has been around for 19 years. Not true -- the schannel bug is identified as CVE-2014-6321, and it was discovered by unidentified researchers (possibly internal to Microsoft). It's a hole in the software for HTTPS connections.
The 19-year-old vulnerability, which was discovered by the IBM X-Force research team, is CVE-2014-6332. It's a hole in COM that can be exploited through VBScript. That's the bug fixed by MS14-064/KB 3011443. As best I can tell, the two security vulnerabilities have nothing in common.
Don't get confused. BBC mixed up the two security holes, and other news outlets are parroting the report.
As for the sudden disappearance of the monthly security webcast -- there's been no official announcement, but Dustin Childs, who used to run the webcasts, has been re-assigned, and I couldn't find a webcast for the November security bulletins. Earlier this morning, Childs tweeted:
14 bulletins instead of 16-they didn't even renumber. No deployment priority. No overview video. No webcast. I guess things change.
That's a stunning development, particularly for anyone who has to make sense of Microsoft's patching proclivities. Failing to renumber bulletins won't shake anyone's faith in Microsoft's patching regimen -- I take it as a welcome change. But the lack of a monthly security bulletin deployment priority list, overview video, or webcast leaves most Windows security pros in the lurch. Microsoft has been issuing an overview video for Black Tuesday for years, and the webcast offers a lot of down-and-dirty advice not available anywhere else.
If the webcasts have been pulled -- there's no official confirmation I can see -- Microsoft's enterprise customers, in particular, have good reason to complain.