Microsoft slates 12 patches for next week
Sets seven 'critical' updates for Windows, IE, VBScript and Office
Computerworld - Microsoft Corp. announced today that it will release a dozen security updates next week, matching the patch record set a year ago. Seven of the 12 will be tagged with the company's highest threat ranking.
"There's not a Windows shop anywhere in the world that won't need to deploy at least one of these patches," said Andrew Storms, director of security operations at nCircle Network Security Inc. And most everyone will be taking all 12."
The tally matches the most delivered in any month during 2007 -- that was February as well -- and greatly outnumbers the two Microsoft handed over last month.
Storms made the case that both the width and depth of the updates means that virtually all parts of the Windows ecosystem will need attention next Tuesday. "Not only are these across the board, but they're deep and wide, too," he said. "It's applications as well as operating systems, on the client side and on the server side."
Among the dozen updates listed in the prepatch notification posted to the Microsoft Web site this morning, are three slated for Microsoft Office, three for Windows, two for Internet Information Server (IIS), and one each for Internet Explorer, Microsoft Works, VBScript and JScript, and Active Directory.
Nor will the patches be limited to Windows, according to Microsoft. Several of the bulletins spell out fixes to Office 2004 for Mac.
But it's the sheer number of updates that struck Storms. "Quite a few people are going to be working overtime next week, starting Tuesday," he said, referring to IT staffers responsible for testing and deploying security updates.
Some past vulnerability trends also look like they're continuing, he added, pointing to the three Office updates. Each pegged an application in the Office 2000 edition with a "critical" vulnerability, but labeled the same bug only "important" in Office XP and Office 2003. The same applications in Office 2007 on Windows and Office for Mac 2008 were missing from the list, indicating that they posed no risk.
"This is following the trend we've been watching for some time," Storms said. "The newer applications are more secure, as they should be, since Microsoft has done more [security-related] work on the newer apps."
He speculated that the Office and Works flaws would turn out to be file-format parsing issues -- a good bet, since the bulk of vulnerabilities uncovered in the past two years in those suites have been related to file-format problems -- and that one of the three Windows fixes may be related to the IP stack.
"In that bulletin, it's listed 'critical' on the client but only 'moderate' on Server 2003," Storms said. "That tells me there's something in the code base that's different [between the client and server versions of Windows]. It might be something to do with the IP stack, maybe another ICMP or IGMP vulnerability."
Last month's sole critical bulletin patched multiple protocol vulnerabilities in Windows, including one in IGMP (Internet Group Management Protocol); Microsoft updated the bulletin several times, adding Small Business Server and Windows Home Server to the original list of affected systems, and researchers countered the company's claim that an exploit would be tough to craft by coming up with one within days.
Microsoft will issue the 12 updates next Tuesday around 1 p.m. Eastern time, as well as seven high-priority, nonsecurity updates, five of which will be for parts of the company's Office lineup.
Read more about Operating Systems in Computerworld's Operating Systems Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Partners in Mobile Device Management: AirWatch & CDW When it comes to Mobile Device Management, it's not just what you know. It's who you know. That's why CDW partners with industry...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
- Redefine Your IT Operations: Remote Office IT Has Never Been Simpler Join us to see why PC Pro named Dell PowerEdge VRTX the "2013 Server of the Year." PowerEdge VRTX may be just what... All Operating Systems White Papers | Webcasts