Microsoft releases record number of patches for the year with October Patch Tuesday

"Pretty ho hum," but with important updates to disable the RC4 algorithm

Microsoft has released a record number of patches this year, with its October 2015 Patch Tuesday making it 111 security bulletins released in a single year, beating 2013's figure of 106.

According to Craig Young, security researcher at Tripwire, the patches themselves are thankfully nothing out of the ordinary, however. "Network administrators should be relieved this month to learn that none of the vulnerabilities being patched are remotely exploitable," said Young.

He continued: "This is a pretty standard mix of web and file format vulnerabilities requiring some degree of user interaction or user error. But with users being the biggest risk to a corporate network, these patches should be deployed without undue delay."

Young's colleague Tyler Reguly, security research manager at the same organisation, described the updates as "pretty ho-hum", and "typical", but still advised sysadmins not to sit back and take a break, as there are still a number of ongoing vulnerabilities that "should be patched".

Microsoft itself has rated only three of the bulletins as critical. These include a patch for remote code execution vulnerabitiles in VBScript and Jscript, as well as Internet Explorer.

This month's Patch Tuesday is also notable for a different reason, which technically isn't even a part of Patch Tuesday at all.

Back in May 2014, Microsoft announced the availability of an update for its .NET Framework that disables the rather decrepit RC4 algorithm in Transport Layer Security (TLS), which is now regarded as insecure.

"Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions," wrote Microsoft back then.

An update late yesterday to this Security TechCenter blog explains that how, as of 13 October 2015, "Microsoft is broadening the affected software list to include Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications".

As Threatpost.com points out, it's a good time for Microsoft to begin stepping up the retirement of RC4, with predictions of a practical collision attack against the SHA-1 hash algorithm - which RC4 utilises - now suggesting such an occurrence could be only weeks or months away, rather than years.