Microsoft plans double-sized Patch Tuesday next week
Slates nine updates, more than twice the biggest 'off' month of 2010
Computerworld - Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.
The number of Sept. 14 updates will be more than double the maximum the company has delivered in any other of this year's odd-numbered months. Microsoft traditionally delivers relatively few patches in those months.
Four of the updates were labeled "critical," Microsoft's highest threat ranking in its four-step scoring system. The remaining five were marked "important," the second-highest rating.
The update tally that Microsoft spelled out in its monthly advance notification to customers is "quite substantial," said Wolfgang Kandek, chief security officer of Qualys, considering that September should be an "off" month for patches.
Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In August, for example, Microsoft delivered a record 14 updates that patched a record-tying 34 vulnerabilities. July's batch, however, contained just four bulletins that fixed five flaws.
By that back-and-forth, Microsoft should have issued a small number of security updates.
"I'm a little bite surprised at the number," said Kandek. "Maybe some of them will be fixes for the DLL issue."
Kandek was referring to a vulnerability in a large number of Windows applications -- some estimates have pegged it as north of 200 -- that was first publicly disclosed three weeks ago by HD Moore, chief security officer at Rapid7 and the creator of the open-source Metasploit hacking toolkit. At the time, Moore announced that several dozen Windows programs were flawed because they improperly loaded code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- giving hackers a way to hijack a PC by tricking the application into calling on a malicious DLL.
A week later, Microsoft said it would not be able to patch Windows to stymie attacks, but instead said application developers would have to fix their own products. The company also released a complicated-to-use tool to block possible attacks.
"Some of these could be patches for the DLL issue," said Kandek, pointing to the two updates slated to address vulnerabilities in Microsoft's Office suite.
Researchers have claimed that several Office applications, including PowerPoint 2007 and 2010, and Word 2007, are vulnerable to the bug, which has acquired the name "DLL load hijacking."
By the bare bones details Microsoft includes in its advance warning, "Bulletin 3" could be a patch for Word's DLL problem.
Eight of the nine updates affect one or more versions of Windows; one of those will patch Microsoft's IIS (Internet Information Services) Web server software. Two will impact Office. (Microsoft listed one of the bulletins under both categories.)
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts