"Bulletin 7 [the SQL Server update] will depend on the attack vector Microsoft reveals next week," said Storms. "If it's an elevation of privilege bug that's difficult [for hackers] to get to, you'll be better off waiting."
Storms based that advice on the calendar: Many enterprise lock down their networks, servers especially, in October and early November to insure they're running during the crucial holiday season. During a lockdown period, IT administrators pass on all patching, just in case a fix causes problems. SQL Server is often a mission-critical part of a company's back-end infrastructure, powering databases that manage online sales stores.
Alex Horan, senior product manager at Core Security, gave a nod to Bulletin 7, too, but for a different reason. "These patches highlight the amount of code that is being reused," said Horan. "Bulletin 7 involves code reused in versions since 2000. That's 12 years of reused, and now vulnerable code."
It's possible, Horan continued, that the vulnerabilities have been quietly exploited for years.
Also next Tuesday, Microsoft will begin rolling out a long-planned update that invalidates all certificates with keys less than 1,024 bits long.
It was in June that Microsoft first told users it was going to disable those certificates, saying at the time that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update that month, but made it an optional download. Next week, Microsoft will effectively push it to everyone.
The update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.
Microsoft reacted by throwing the kill switch on three of its own certificates.
"My sense is that one, most enterprises have already done this, and two, the enterprises that haven't will deny [the update] via WSUS [Windows Server Update Services]," said Storms. "So really, the immediate impact will be on the smaller guys who either don't use WSUS or haven't gotten the word about the update coming. For them, stuff may break, and they're going to be scratching their heads trying to figure out why."
Microsoft will release the seven updates at approximately 1 p.m. ET on Oct. 9.
Sign up for Computerworld eNewsletters.