Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Microsoft Plans Quiet Patch Tuesday

Microsoft is planning a relatively quiet release for Patch Tuesday with just a pair of security updates in tow next week.

Microsoft is planning a relatively quiet release for Patch Tuesday with just a pair of security updates in tow next week.

Both security bulletins – which will be available Sept. 11 – address privilege escalation issues and are rated ‘Important.’ According to Microsoft, one of the bulletins is focused on Microsoft Developer Tools, while the other is focused on Microsoft Server Software. Bulletin one requires Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1 be installed, so this is a relatively small target pool, opined Alex Horan, senior product manager at CORE Security.

“Bulletin Two requires Microsoft Systems Management Server 2003 Service Pack 3 or Microsoft System Center Configuration Manager 2007 Service Pack 2 be installed,” he said. “An outside attacker would have no idea if those packages will be installed on the system they attack, but the odds are not high.”

“In general, this month’s Patch Tuesday should be a breeze,” he added. “Both bulletins are privilege escalation vulnerabilities, meaning the attacker has to already have a foothold on the system to leverage them. The reason these are important, though, is that through a client-side attack or drive-by download, an attacker could gain a foothold on a user’s machine.”

The lightweight security update could be the calm before the storm for some organizations, argued Marcus Carey, security researcher at Rapid7, given Microsoft’s plans to release an update next month through Windows Update that will increase the requirements for certificates. The update was initially made available in August via the Download Center.

“While there are only two bulletins, this could still be a busy month for organizations since Microsoft will be issuing an update next month that will deprecate the use of certificates that are less than 1024 bit encrypted,” he told SecurityWeek. “Microsoft will definitely push this update out in October. The light patch month in September will allow organizations to prepare for this, which is great as it has a potential to break things if applications are still using outdated certificates. It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates.”

For those who find they are using certificates with RSA key lengths of less than 1024 bits, those certificates will be required to be reissued with at least a 1024-bit key length, blogged Angela Gunn of Microsoft’s Trustworthy Computing Group.

Advertisement. Scroll to continue reading.

“We recommend that you evaluate your environments with the information provided in Security Advisory 2661254 and your organization is aware of and prepared to resolve any known issues prior to October,” she wrote. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.