The six important updates will address one or more vulnerabilities in Windows, SharePoint Server, FAST Search Server, Groove Server, Office Web Apps, Microsoft Communicator, Microsoft Lync and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped six months ago.
Most of them can be postponed, the experts said today, at least according to the information available in the bare-bones advance notice.
"Bulletin 7 [the SQL Server update] will depend on the attack vector Microsoft reveals next week," said Storms. "If it's an elevation of privilege bug that's difficult [for hackers] to get to, you'll be better off waiting."
Storms based that advice on the calendar: Many enterprise lock down their networks, servers especially, in October and early November to insure they're running during the crucial holiday season. During a lockdown period, IT administrators pass on all patching, just in case a fix causes problems. SQL Server is often a mission-critical part of a company's back-end infrastructure, powering databases that manage online sales stores.
Alex Horan, senior product manager at Core Security, gave a nod to Bulletin 7, too, but for a different reason. "These patches highlight the amount of code that is being reused," said Horan. "Bulletin 7 involves code reused in versions since 2000. That's 12 years of reused, and now vulnerable code."
It's possible, Horan continued, that the vulnerabilities have been quietly exploited for years.
Also next Tuesday, Microsoft will begin rolling out a long-planned update that invalidates all certificates with keys less than 1,024 bits long.
It was in June that Microsoft first told users it was going to disable those certificates, saying at the time that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update that month, but made it an optional download. Next week, Microsoft will effectively push it to everyone.
The update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.
Microsoft reacted by throwing the kill switch on three of its own certificates.