Microsoft plans monster Patch Tuesday next week
Unlucky 13 sets record as biggest-ever patch day, includes first-ever for Windows 7 RTM
Computerworld - Microsoft today said it will deliver its largest-ever number of security updates on Tuesday to fix flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and the enterprise-grade Forefront Security client software.
Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system.
The company will ship a total of 13 updates next week, eight of them pegged "critical," the highest threat ranking in its four-step scoring system, beating the previous record of 12 updates shipped in February 2007 and again in October 2008.
"Thirteen is not a lucky number," said Andrew Storms, director of security operations at nCircle Network Security, reacting to the massive slate scheduled for Oct. 13. "They've been a busy bunch at Microsoft, that's for sure."
Storms was unable to parse today's advance notification -- Microsoft's way of forewarning customers with the barest of details, including the number of updates, their ranking and the software they impact -- to determine whether the company will patch the still-unfixed vulnerability in SMB 2. "There's just too much data here to use the deduction method," said Storms. "But with all that's here, you have to imagine that it's going to be patched."
The bug in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows, was first revealed by Microsoft Sept. 7. Since then, attack code has gone public, although security researchers have not seen any in-the-wild attacks. The flaw affects Windows Vista, Windows Server 2008 and preview releases of Windows 7.
Of the 13 updates, Storms put the patches scheduled for SQL Server, Visual Studio and IE at the top of his list.
"The SQL Server update will affect a lot of people, especially those who use it as the back-end for their Web sites. And the Visual Studio update makes me wonder if it's another fix for ATL," Storms said, referring to the Active Template Library (ATL) bug that Microsoft itself introduced in its popular development platform.
Microsoft patched a number of bugs in the ATL code "library," which the company and others rely on to create their programs, in August.
"There's also the token IE update," added Storms. "Even IE8 is critical this month."
Windows 7 will receive its first official patches next week: Five of the 13 bulletins were marked today by Microsoft as affecting the new operating system. "At this point, Windows 7 is essentially released," said Storms.
Although Windows 7 won't reach retail or be available on new PCs until later this month, some customers -- primarily enterprises with volume licensing agreements -- have been able to obtain the OS for the last two months.
Both consumers and company administrators should gear up for a busy Tuesday, Storms warned. The latter will especially have a tough time with the monster update, since businesses typically try to test updates before they roll them out to their servers or client systems. "The problem for enterprises will be staying diligent with their patch management policies," said Storms. "But with this many updates, there should be places to cut corners to get the most critical updates out according to their own schedules."
Testing 13 updates may also give system administrators fits, he warned. "There are so many potential interactions with this many," Storms concluded. "It's going to be a full month of testing for some."
Microsoft will release the 13 updates at approximately 1 p.m. ET on Oct. 13.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts