Menu
Microsoft slates 12 patches for next week

Microsoft slates 12 patches for next week

Sets seven 'critical' updates for Windows, IE, VBScript and Office

Microsoft announced it will release a dozen security updates next week, matching the patch record set a year ago. Seven of the 12 will be tagged with the company's highest threat ranking.

"There's not a Windows shop anywhere in the world that won't need to deploy at least one of these patches," said Andrew Storms, director of security operations at nCircle Inc. And most everyone will be taking all 12."

The tally matches the most delivered in any month during 2007 -- that was February as well -- and greatly outnumbers the two Microsoft handed over last month.

Storms made the case that both the width and depth of the updates means that virtually all parts of the Windows ecosystem will need attention next Tuesday. "Not only are these across the board, but they're deep and wide, too," Storms said. "It's applications as well as operating systems, on the client side and on the server side."

Among the dozen updates listed in the prepatch notification posted to the Microsoft Web site this morning, are three slated for Microsoft Office, three for Windows, two for Internet Information Services (IIS), and one each for Internet Explorer, Microsoft Works, VBScript and JScript, and Active Directory.

Nor will the patches be limited to Windows, according to Microsoft. Several of the bulletins spell out fixes to Office 2004 for Mac.

But it's the sheer number of updates that struck Storms. "Quite a few people are going to be working overtime next week, starting Tuesday," he said, referring to IT staff responsible for testing and deploying security updates.

Some past vulnerability trends also look like they're continuing, he added, pointing to the three Office updates. Each pegged an application in the Office 2000 edition with a "critical" vulnerability, but labeled the same bug only "important" in Office XP and Office 2003. The same applications in Office 2007 on Windows and Office for Mac 2008 were missing from the list, indicating that they posed no risk.

"This is following the trend we've been watching for some time," Storms said. "The newer applications are more secure, as they should be since Microsoft has done more [security-related] work on the newer apps."

He speculated that the Office and Works flaws would turn out to be file format parsing issues -- a good bet since the bulk of vulnerabilities uncovered in the past two years in those suites have been related to file format problems -- and that one of the three Windows fixes may be related to the IP stack.

"In that bulletin, it's listed 'critical' on the client but only 'moderate' on Server 2003. That tells me there's something in the code base that's different [between the client and server versions of Windows]. It might be something to do with the IP stack, maybe another ICMP or IGMP vulnerability."

Last month's sole critical bulletin patched multiple protocol vulnerabilities in Windows, including one in IGMP (Internet Group Management Protocol); Microsoft updated the bulletin several times, adding Small Business Server and Windows Home Server to the original list of affected systems, and researchers countered the company's claim that an exploit would be tough to craft by coming up with one within days.

Microsoft will issue the 12 updates next Tuesday around 1 p.m. Eastern, as well as seven high-priority, non-security updates, five of which will be for parts of the company's Office lineup.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments