Microsoft's September Patch Tuesday load lighter than usual

Microsoft gave IT departments a break this month, issuing just two patches in its September Patch Tuesday release. Separate security updates should keep some busy through the month, though.

Both patches address cross-site scripting (XSS) exploits that Qualys CTO Wolfgang Kandek says "are not very serious." One patch addresses an exploit in a development tool, while the other addresses a system management tool. Neither tool is widely deployed, Kandek says, meaning many IT departments are looking at a relatively light update load.

RELATED: Microsoft: Avoid a (bad) October surprise, lengthen RSA certificates now

"It's great for us. We're not even ordering pizza for a long day, which is what we normally do," Kandek says. "It's only two patches. I think it's going to be good for everybody, IT and administrators as well."

However, IT departments should have an eye on a separate Microsoft security advisory that addresses security certificates, Kandek says. In an update that will default to auto-install through Windows Update next month, Microsoft will begin requiring security certificates with more than 1024 bits.

Although the certificate upgrade will amount to little more than a hiccup for Web browsing, Kandek says IT departments should test the update on a limited set of internal email systems to ensure they'll be compatible when the update goes to auto-install in October.

"The bigger problem is in other technologies that use certificates," Kandek says. "So in mail server, for example, there might be some malfunction they may not find anymore, where you cannot safely communicate anymore and it might just fail, rather than giving you the option of retrying like the browser does."

Microsoft warned customers of the issues late last week.

Moving ahead, IT departments are expected to see a much heavier workload. Andrew Storms, director of security operations for nCircle, said that while IT departments "will be smiling for the rest of the month," question marks surround Microsoft's next security updates.

"This does make you wonder what Microsoft has planned for the October patch," Storms says. "Did Microsoft choose to deliver an extremely small patch this month because they have a monster patch in final testing for next month?"

Amol Sarwate, director of vulnerability research at Qualys, downplayed any possibility that Microsoft was holding onto patches for October. However, he did acknowledge that Microsoft's general security update processes indicate a potential spike in patches next month.

"Usually what happens is every other alternate month for Microsoft is a bigger patch month, and many times they just aren't ready," Sarwate says. "They couldn't get certain patches into the life cycle, so they get pushed to the next month."

In September of last year, Microsoft issued five updates on Patch Tuesday, followed by eight in October. 

Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World. Follow him on Twitter @ntwrkwrldneagle and keep up with the Microsoft, Cisco and Open Source community blogs. Colin's email address is

Read more about wide area network in Network World's Wide Area Network section.