Microsoft's September Patch Tuesday load lighter than usual

Microsoft gave IT departments a break this month, issuing just two patches in its September Patch Tuesday release. Separate security updates should keep some busy through the month, though.

Both patches address cross-site scripting (XSS) exploits that Qualys CTO Wolfgang Kandek says "are not very serious." One patch addresses an exploit in a development tool, while the other addresses a system management tool. Neither tool is widely deployed, Kandek says, meaning many IT departments are looking at a relatively light update load.

RELATED: Microsoft: Avoid a (bad) October surprise, lengthen RSA certificates now

"It's great for us. We're not even ordering pizza for a long day, which is what we normally do," Kandek says. "It's only two patches. I think it's going to be good for everybody, IT and administrators as well."

However, IT departments should have an eye on a separate Microsoft security advisory that addresses security certificates, Kandek says. In an update that will default to auto-install through Windows Update next month, Microsoft will begin requiring security certificates with more than 1024 bits.

Although the certificate upgrade will amount to little more than a hiccup for Web browsing, Kandek says IT departments should test the update on a limited set of internal email systems to ensure they'll be compatible when the update goes to auto-install in October.

"The bigger problem is in other technologies that use certificates," Kandek says. "So in mail server, for example, there might be some malfunction they may not find anymore, where you cannot safely communicate anymore and it might just fail, rather than giving you the option of retrying like the browser does."

Microsoft warned customers of the issues late last week.

Moving ahead, IT departments are expected to see a much heavier workload. Andrew Storms, director of security operations for nCircle, said that while IT departments "will be smiling for the rest of the month," question marks surround Microsoft's next security updates.

"This does make you wonder what Microsoft has planned for the October patch," Storms says. "Did Microsoft choose to deliver an extremely small patch this month because they have a monster patch in final testing for next month?"

Amol Sarwate, director of vulnerability research at Qualys, downplayed any possibility that Microsoft was holding onto patches for October. However, he did acknowledge that Microsoft's general security update processes indicate a potential spike in patches next month.

"Usually what happens is every other alternate month for Microsoft is a bigger patch month, and many times they just aren't ready," Sarwate says. "They couldn't get certain patches into the life cycle, so they get pushed to the next month."

In September of last year, Microsoft issued five updates on Patch Tuesday, followed by eight in October. 

Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World. Follow him on Twitter @ntwrkwrldneagle and keep up with the Microsoft, Cisco and Open Source community blogs. Colin's email address is

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Colin Neagle

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place