May Patch Day is live, so go grab Microsoft’s latest security updates.
According to the May summary bulletin, Microsoft released two security bulletins containing software updates for Windows and Office. One update fixes a critical code execution in the Windows WINS services. Though Windows doesn’t enable this service by default, most administrators do run it on their Windows servers. So this flaw poses a significant risk to your Windows servers.
The second update fixes various code execution flaws in PowerPoint. If you open a specially crafted PPT file, an attacker can leverage this flaw to execute code on your machine. If you have local admin rights, the attacker gains complete control. Lately, attackers have leveraged malicious Office files quite successfully to distribute malware; making this a flaw you want to fix sooner, not later
Compared to last month’s 17 security bulletins, two updates seems like a vacation. Nonetheless, you should still test and install these updates as soon as you can. Personally, I’d start with the PowerPoint update since I suspect users often get tricked into opening malicious Office files. The WINS vulnerability is also serious. However, most firewalls (like ours) block WINS by default, so the flaw primarily poses an internal risk.
We’ll post more detailed alerts about these two bulletins, shortly. — Corey Nachreiner, CISSP
Doug Stewaret says
When you say to test and install these updates, how do you do that? Have a pc that’s just for test purposes, get the updates and make sure nothing goes wrong?
Corey Nachreiner says
Doug. Yes, that’s essentially it. I guess in the real world, how aggressive you are at testing updates before deploying will depend a lot on the size of your organization, your staff size, and the business risk associated with whether or not the system you are updating goes down due to problems.
For instance, ideally, a SMB company that has production Active Directory servers, email servers, DNS & WINS servers, and Web server (among others) would want to also have a lab or development environment that mirrors their production environment. For instance, it is very common to have a development web server that mirrors your real web server, except you can safetly make big changes to the development server to see what happens before pushing to the production one.
With Virtualization technology, having this sort of mirrored test/development environment is a bit easier and cheaper too.
The simply idea is, you install the patch on the non-production server first, and run it for a few hours/days to make sure it doesn’t introduce any unexpected problems in your environment. In a perfect world, this extra step would be unnecessary. However, some past Microsoft patches have introduced issues that have caused downtime for production servers. So we recommend it to help you avoid that downtime, mostly for services that are business critical.
How strongly you follow this, “test then deploy” policy really should depend on your business, your network, and your risk. For instance, for Windows client patches, maybe you don’t feel the need to test the patches too much, because just having one employee who may have trouble with IE due to an IE patch, isn’t such a big deal, and can easily be fixed. However, if you make your money from an ecommerce site, you will want to be very careful updating your Web server software, and any other services on that computer. So it’s really your server environment you want to concentrate most on, when testing updates, being especially careful with the ones your business relys on.
For this particular Patch Day, the WINS service tends to reside on servers that usually provide naming service for your network, which many things in the network will rely on. So I would try to test the WINS patch before pushing it. However, it’s very unlikely that the PowerPoint update will cause any mission critical outages… so maybe you don’t have to test that. In any case, it all depends on your business’ needs.
As an aside, I will say that I feel like Microsoft’s patch quality has gotten better over the years. They seem to test their patches better. Years ago, it was fairly common to hear stories about how a MS patch broke something. I occasionally still see some of those stories, but not as often.