Microsoft plans double-sized Patch Tuesday next week
Slates nine updates, more than twice the biggest 'off' month of 2010
Computerworld - Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.
The number of Sept. 14 updates will be more than double the maximum the company has delivered in any other of this year's odd-numbered months. Microsoft traditionally delivers relatively few patches in those months.
Four of the updates were labeled "critical," Microsoft's highest threat ranking in its four-step scoring system. The remaining five were marked "important," the second-highest rating.
The update tally that Microsoft spelled out in its monthly advance notification to customers is "quite substantial," said Wolfgang Kandek, chief security officer of Qualys, considering that September should be an "off" month for patches.
Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In August, for example, Microsoft delivered a record 14 updates that patched a record-tying 34 vulnerabilities. July's batch, however, contained just four bulletins that fixed five flaws.
By that back-and-forth, Microsoft should have issued a small number of security updates.
"I'm a little bite surprised at the number," said Kandek. "Maybe some of them will be fixes for the DLL issue."
Kandek was referring to a vulnerability in a large number of Windows applications -- some estimates have pegged it as north of 200 -- that was first publicly disclosed three weeks ago by HD Moore, chief security officer at Rapid7 and the creator of the open-source Metasploit hacking toolkit. At the time, Moore announced that several dozen Windows programs were flawed because they improperly loaded code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- giving hackers a way to hijack a PC by tricking the application into calling on a malicious DLL.
A week later, Microsoft said it would not be able to patch Windows to stymie attacks, but instead said application developers would have to fix their own products. The company also released a complicated-to-use tool to block possible attacks.
"Some of these could be patches for the DLL issue," said Kandek, pointing to the two updates slated to address vulnerabilities in Microsoft's Office suite.
Researchers have claimed that several Office applications, including PowerPoint 2007 and 2010, and Word 2007, are vulnerable to the bug, which has acquired the name "DLL load hijacking."
By the bare bones details Microsoft includes in its advance warning, "Bulletin 3" could be a patch for Word's DLL problem.
Eight of the nine updates affect one or more versions of Windows; one of those will patch Microsoft's IIS (Internet Information Services) Web server software. Two will impact Office. (Microsoft listed one of the bulletins under both categories.)
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts