Microsoft slates another monster Patch Tuesday

It will deliver a record 17 security updates patching 40 vulnerabilities

Microsoft today said it will deliver a record 17 security updates next week to patch 40 vulnerabilities in Windows, Internet Explorer (IE), Office, SharePoint and Exchange.

Among the 40 patches will be two that address a pair of bugs that hackers have already exploited.

"I really was not expecting 17," said Andrew Storms, director of security operations at nCircle Security. "I expected 10 at the most."

The 17 updates -- Microsoft calls them "bulletins" -- are a record, beating the count from October 2010 by one. The bulletins that will ship next Tuesday will include 40 patches, Microsoft said, nine fewer than the record set last October, but six more than the next-largest months of October 2009 and June and August of this year.

The total bulletin count for the year -- 106 -- was also a record, as was the number of vulnerabilities patched in those updates: 266.

Microsoft defended the blistering bug patching pace of 2010.

"This is partly due to vulnerability reports in Microsoft products increasing slightly ... [and to the fact that] Microsoft supports products for up to ten years," said Mike Reavey, the director of the Microsoft Security Response Center (MSRC), in a post to the team's blog today. "Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports."

But it was December's big number that caught Storms' eye.

"The sheer number is quite surprising for December," said Storms. In the past three years, Microsoft has issued no more than nine updates in December, he said. "And while Microsoft doesn't necessarily take its cues from the rest of the world, the fact is many organizations won't patch a lot of these until after the first of the year," Storms continued.

Not only will enterprise IT staffs be short-handed this month -- what with holidays and vacation time -- but they will be unlikely to risk problems that could crop up in patching during such an important time of the year for their business.

"In this case, there might be less risk involved by doing nothing," said Storms. "That's especially true of companies, like those in the financial sector, that have locked down their networks since early November."

Many firms forbid patching the last two months of the year to insure that their hardware continues to operate, said Storms.

Two of the 17 updates were tagged with Microsoft's "critical" label, the highest threat ranking in its four-step scoring system. Another 14 were marked "important," the second-highest rating, while the remaining update was labeled "moderate."

Ten of the updates could be exploited by attackers to remotely inject malicious code into vulnerable PCs, Microsoft said in its usual bare-bones advance notification. Microsoft often labels remote code executable bugs -- the most dangerous -- as important when the vulnerable components are not switched on by default or when other mitigating factors, such as defensive measures like ASLR and DEP, may protect some users.

Among the fixes slated for next week will be one that addresses an already-disclosed vulnerability in all supported versions of IE, said Reavey.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon