When Patch Tuesday rolled around last month, we were busy smirking about how running Server Core meant that you could avoid many of the inevitable updates. But that isn’t the case all the time, and this month proves the point.
Tuesday picture from Shutterstock
Microsoft’s pre-announcement of the expected Patch Tuesday content (which will hit, as usual, on Wednesday Australian time) includes many of the usual suspects: every single version of Internet Explorer needs patching, for instance. There’s also a patch for Lync 2013, a platform which is promising further updates in the near future to further enhance its interoperability with Skype.
The seven announced patches are broad enough that even stripped-down Server Core installations, which exclude everything that requires a graphical user interface, will also need patching and rebooting. All the relevant versions (for both 2008 and 2012 versions of Windows Server) are affected by the patch, which fixes a remote code execution vulnerability. That’s a task which will have to be scheduled for minimal disruption.
All that adds up to a potentially complicated month. As Sophos’ Paul Ducklin puts it: “The range and reach of this month’s updates means it would be wise to make sure that you have all your operational ducks in a row before the patches actually come out.”
Comments
One response to “Patch Tuesday: Sometimes Even Server Core Can’t Save You”
Perhaps I misunderstand why anyone would think that just running a headless windows server core install would result in not having to patch.. ?
Michael,
Since Windows Server Core editions are stripped-down versions of their full-blown counterparts, it makes sense that many vulnerabilities affecting full-blown Windows Server editions are irrelevant on Windows Server Core. For example, you can’t fire up IE on Server Core and many (most?) IE-related patches should be inapplicable to Core editions. However, Server Core could depend on some IE components, so some IE-related patches may be relevant (see this discussion on serverfault: http://serverfault.com/questions/478895/why-does-my-server-core-gets-patches-for-internet-explorer).
The statement, “Server Core installations, which exclude everything that requires a graphical user interface…”, isn’t accurate. If this statement were true, the only way to manage / interact with Server Core installations would be through a console shell or remote shell (e.g. psexec, Enter-PSSession, ssh). There would be no RDP access, Notepad, timedate.cpl, intl.cpl, etc. And WinForms-based tools such as Core Configurator would only work from a remote workstation.