Microsoft slates colossal Windows patch next week
Ties record with 13 security updates, plans to fix 26 bugs in Windows, Office
Computerworld - Microsoft today said it will deliver a record-tying 13 security updates on Tuesday to patch more than two dozen vulnerabilities in Windows and Office.
The company will ship a total of 13 updates next week, five of them pegged "critical," the highest threat ranking in its four-step scoring system. The 13 updates will tie the record from October 2009, when Microsoft issued the same number of bulletins, but fixed a total of 34 vulnerabilities. According to Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), next week's updates will patch 26 flaws.
"A lot? That's an understatement," said Andrew Storms, director of security operations at nCircle Network Security. "But we could have had 14," he added, referring to the emergency Internet Explorer (IE) update Microsoft released two weeks ago. That "out-of-band" update was originally slated to be included in the collection set to ship this month.
Of the eight updates not marked critical, seven were ranked "important," the next-lower rating, while one was pegged "moderate." Eleven of the 13 will affect one or more editions of Windows; the remaining pair will affect Office XP and Office 2003 on Windows, and Office 2004 for Mac.
"What's kind of interesting this month is that there are fewer applications updates," said Storms, talking about the 11-to-2 ratio of Windows-to-Office security bulletins. The trend, Storms noted, has been the opposite: Microsoft applications, primarily Office and IE, have been extensively exploited by hackers, who have shied away from Windows itself because attacking applications has been easier.
That's not to say there isn't evidence of long-standing trends in the massive matrix that Microsoft spelled out in today's advance notification. One trend: Newer software is generally more secure than older software.
"We know that the newer operating systems are more secure," said Storms. "They use newer code, and were created with SDL [Security Development Lifecycle]," he added. SDL is Microsoft's term for a programming philosophy that bakes security awareness into all aspects of development. As proof, Storms pointed to Windows Server 2008 R2, the newest version of Microsoft's server software. "It has the least number of bulletins," he said.
Server 2008 R2 will be affected by 5 of the 11 Windows updates. Windows 7, the newest client operating system, will be impacted by the same percentage, 45%, of the total. The eight-year-old Windows XP, meanwhile, will require 8 of the 11, or 73% of Windows updates, while the even older Windows 2000 will be affected by 9 of the 11, or 82% of the total.
"Every month, there's a new reason to get off the older operating systems, to get off the older applications," said Storms.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts