Microsoft delivers massive Patch Tuesday, fixes 34 flaws
Unlucky 13 updates plug multiple 'zero-day' holes, including one Microsoft had kept secret until now
Computerworld - Microsoft today delivered a record 13 security updates that patched 34 vulnerabilities in every version of Windows, including the not-yet-for-sale Windows 7, as well as in Internet Explorer (IE), Office, SQL Server and other parts of its software portfolio.
The 34 flaws were also a record number for Microsoft, the most holes patched in one sitting since Microsoft switched to a regular monthly update schedule six years ago. The closest competitor was December 2008, when the company quashed 28 bugs.
"To anyone following Apple, this isn't a big surprise," said Andrew Storms, director of security operations at nCircle Network Security, referring to Microsoft's operating system rival, which typically issues security updates that include scores of fixes. "But this is certainly an unprecedented month for Microsoft."
Microsoft ranked 8 of the 13 updates and 21 of the 34 vulnerabilities as "critical," the top rating in its four-step scoring system. The remainder of the bulletins were judged "important," the next threat level down, while nine of the flaws were also pegged important, and the final 4 were tagged as "moderate."
Among today's patches were several for zero-day vulnerabilities -- bugs for which exploit code had already gone public. One of the zero-day vulnerabilities was undisclosed until today.
Microsoft patched three vulnerabilities in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows; two bugs in the FTP server that's included with older editions of its Internet Information Services (IIS) Web server; and two in the Windows Media Runtime. The flaws in SMB 2 and IIS had been public knowledge since early September, but the Windows Media vulnerabilities included one that Microsoft said was already in the wild, but had not leaked to the usual public sources, such as security mailing lists.
For that reason, Storms urged everyone to deploy the MS09-051 update, which patches the Windows Media bugs, as soon as possible. "At first glance, [MS09-]051 should be patched immediately," he said. "What's interesting today is that we're learning it's in the wild. More important, it can be exploited in drive-by attack situations, just be getting people to go to a [malicious] Web site."
Early last month, Microsoft revealed the SMB 2 vulnerability, but although attack code went public, security researchers have not seen any actual attacks. The flaw affects Windows Vista, Windows Server 2008 and preview releases of Windows 7, but not the final edition slated for retail release next week.
The FTP flaw, on the other hand, was disclosed by Microsoft Sept. 1, when the company confirmed that its security team was investigating attack code that hit the street on the last day of August.
- Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions IT security decision-makers from companies with 100 to 5,000 employees evaluates the current endpoint security solution market based on Forrester's own market data,...
- Case Study: Intuit Turns to Self-Service IT Intuit empowered its users to resolve their own IT issues with a consumer-like experience to free IT to focus on more strategic initiatives....
- Automation for a Better Tomorrow Check out the five most common annoyances facing enterprise IT service desks today, and how automation can resolve all of them. Download the...
- Beyond the Enterprise App Store Leverage proactive, secure and automated IT Service delivery to move beyond the traditional App Store and empower your users. Read the white paper...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!