News

16 Security Fixes Expected in Microsoft's October Patch

• By Jabulani Leffall
• 10/07/2010

Microsoft's forthcoming October security update will be another historic rollout.

Redmond expects to release an eye-popping 16 security bulletins on Tuesday, according to the company's advance notice. Four of the items will be deemed "critical" and 10 will be "important." In a rare addition, two bulletins will arrive as "moderate" security items.

This months' mammoth slate will address 49 vulnerabilities, representing a new record so far in a record-breaking patch year.

The October patch release will arrive in a hefty state despite Microsoft's prolific efforts recently in delivering multiple security advisories and out-of-band patches. IT pros may already be wrestling with Adobe's announcement earlier this week of a patch addressing 25 vulnerabilities in Adobe Reader and Acrobat.

There will be 10 remote code execution vulnerabilities to be addressed in Microsoft's patch. Other flaws highlighted in the October advance notice include three elevation-of-privilege risks, one information disclosure threat, one tampering flaw and one denial-of-service item.

The patch's girth could be explained, in part, by the timing of its release in the latter part of this year, according to one security expert.

"The theory behind the larger October patch is that many industries go into 'lock-down' mode with their critical infrastructure as the end of year approaches," said Andrew Storms, director of security at nCircle. "Finance and retail sectors in particular are extremely careful with changes in the latter part of the year given the heavy volume of online shopping."

Critical Items
The first critical update will be a cumulative patch for Internet Explorer, touching IE 6, 7 and 8 on every supported operating system.

Critical fix No. 2 will only affect Vista and Windows 7. The third and fourth critical patches will affect every Windows operating system that Microsoft supports.

Important Items
The first important item will touch Microsoft Windows SharePoint Services 3.0, Microsoft Office SharePoint Server 2007, Microsoft Groove Server 2010 and Microsoft Office Web Apps.

The second important patch will be a Windows patch designed every supported release of the OS. IT pros will find that the same situation will apply for Microsoft's other important patches, with the notable exceptions of important fixes No. 4 and No. 8, which will only affect Windows XP and Windows Server 2003.

Important items No. 9 and No. 10 will only affect Vista, Windows 7 and Windows Server 2008.

Moderate Items
The two moderate items that will round out this slate will both be Windows patches. The first moderate security fix will address a remote code execution flaw in every supported Windows OS. The second one will be confined to Windows Server 2008.

Another burden to consider with this massive installation is that every patch may, or will, require a restart.

"This month will be particularly challenging for administrators as most patch scenarios will hit every machine on any given network," said Jason Miller, data and security team leader at Shavlik Technologies.

Meanwhile, even amid the large rollout, there still may be some unfinished business to address. Storms explained that outstanding "DLL load hijacking vulnerabilities are not specifically spelled out as being fixed this month." He added that "we'll have to wait and see how Microsoft chooses to address this issue."

Finally, for any Windows IT pros with any time left, they can check out this Knowledge Base article for information on nonsecurity updates via Windows Server Update Services, Windows Update and Microsoft Update.