Microsoft to patch Windows bug called 'Holy Grail' by one researcher
Announces next week's Patch Tuesday line-up, will fix 7 flaws in Windows, developer software
Computerworld - Microsoft yesterday said it would ship six security updates next week, only one critical, to patch seven vulnerabilities in Windows and a pair of for-developers-only programs.
This year's March Patch Tuesday will feature three more updates and three more patches than the same month in 2011, but will fix fewer bugs than the March roster in each of the years 2008-2010, according to records kept by Andrew Storms, director of security operations at nCircle Security.
One of the six updates was tagged "critical," the highest threat ranking in Microsoft's four-label system, while four were marked "important," the second-level rating, and the sixth as "moderate." One of the important updates, as well as the sole critical one, will patch bugs that Microsoft confirmed could be exploited by attackers to compromise PCs and plant malware on victimized machines.
Storms tried to parse the limited information Microsoft revealed in the advance notification for Patch Tuesday but came up mostly empty. "Overall, there's not much to go on here as we look to be back to lower numbers on a down month," said Storms during an instant message interview.
Storms was referring to Microsoft's habit of issuing a higher number of updates in even-numbered months.
In February, for example, Microsoft released nine security updates -- called "bulletins" in its parlance -- that patched 21 vulnerabilities.
Based on what Microsoft disclosed yesterday, Storms and other security experts pegged "Bulletin 1," the single critical update, as the one most users should apply first.
"It's rare to find a bulletin that transcends all versions of Windows," said Storms, referring to that update's applicability -- and critical rating -- for everything from Windows XP to Windows 7, Server 2003 to Server 2008 R2. "Either it's a serious bug in code that was never touched during all the reworks from XP all the way to Windows 7, or what we've got here is a bulletin with multiple bugs grouped together. It could be one vulnerability affecting older versions and another for the newer versions."
Wolfgang Kandek, the chief technology officer at Qualys, and Alex Horan, senior product manager for security intelligence at Core Security, also tagged that update as the most important of the month.
In an email Thursday, Horan called Bulletin 1 a potential "Holy Grail of exploit" because it will patch all versions of Windows, and thus will make a lucrative target for cybercriminal researchers searching for ways to hack PCs.
Bulletin 3, said Microsoft, also affects all supported versions of Windows, although the underlying flaw could be used by hackers only to obtain additional rights. So-called "elevation of privilege" vulnerabilities are often used by hackers in conjunction with other exploits to gain wider access to a computer or the network it is on.
Storms also called out Bulletin 3, which applies to Windows Server software, but not the client editions for desktops and notebooks.
"We've seen Server-only bulletins before," he said, "which makes sense, since the Server versions of Windows use different services. It's likely we will see the bug in some area that can only be installed on Server, [making] this of interest to the server ops guys at the table."
Besides the four Windows updates, Microsoft will also issue bulletins targeting bugs in Visual Studio 2008 and 2010, and Expression Design.
The latter is a professional-grade illustration and design tool for creating and editing images for websites that, according to Microsoft's records, has never received a security update. Bulletin 5, the one aimed at Expression Design, will address a bug that hackers could use to execute attack code.
Microsoft will release the six updates at approximately 1 p.m. ET on March 13.
Mozilla is also slated to update it Firefox browser to version 11 that same day.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts