During my career, I have built and managed hundreds of production-level client and server systems, and nothing can be more worrisome than when it comes time to apply patches and upgrades to software. Why? Because things can, and often times, do go wrong during patch and upgrade cycles. According to a few reports, it is possible that system administrators will have some minor side effects to deal with after applying this month’s patches. I cannot really comment on the accuracies of these failure reports that are surfacing. However, I can say that Microsoft’s May 2015 Patch Tuesday contained a few complexities that, if nothing else, could result in confusion for administrators. So, let me explain. First, let’s look at the overall bulletin numbers. Microsoft released 13 bulletins: MS15-043 thru MS15-055. These thirteen bulletins covered 47 unique CVE IDs. With 47 unique CVE IDs, we can assume that at least 47 vulnerabilities were addressed—sometimes a single CVE ID is used to track more than one vulnerability. Further, these 13 bulletins touched a slew of products and subsystems, including kernel, kernel mode drivers, Microsoft Office, .NET, Silverlight, Lync, SharePoint, SCM, JScript, VBScript, MMC, Schannel, and, of course, Internet Explorer. Indeed, it was a big patch cycle for system admins to deal with. Second, we have MS15-052 and MS15-055. MS15-052 addressed a security feature bypass in the Windows kernel, whereas MS15-055 addressed an information disclosure vulnerability in Schannel (Secure Channel). One potential area of confusion for admins, as well as a source of potential patch installation errors, related to these two bulletins is that KB3061518 in MS15-055 actually supersedes KB3050514 in MS15-052. According to Microsoft, manual installation of these patches requires that administrators install MS15-052 first, before installing MS15-055. One of the reports surfacing is related to machines not being able to contact licensing servers after installing the Schannel patch. I don’t suspect that issue to be related to this MS15-052/MS15-055 supersession and upgrade sequence. This is likely due to some other software dependency. Software dependency is a huge factor that must be considered with developing, testing and deploying any type of patch or upgrade. Lastly, we have MS15-044. MS15-044 was a beast of a bulletin. One area of confusion results from the various updates provided by MS15-044 having identical update files provided by other bulletins released in the same cycle. For example, MS15-049 addressed an elevation of privilege vulnerability in Silverlight, whereas MS15-044 addressed, amongst other things, a remote code execution vulnerability in Silverlight due to improper processing of TrueType fonts. However, both of these bulletins shipped the exact same patch set given as KB3056819. This is not a huge deal but could cause confusion for those who choose to install patches manually and who don’t read the fine print.
