News

Biggest Microsoft Security Patch Arriving Tuesday

So much for the dog days of summer, at least when it comes to Windows security.

Microsoft announced today that it plans to release an eye-popping and record-breaking 14 patches for this month's security update. Tuesday's patch will contain eight "critical" items and six "important" items, according to Microsoft's advance notice.

The August security update will cover a wide swath of Microsoft products, including Windows, Internet Explorer, Office and Silverlight multimedia software.

"Internet Explorer, Office and Silverlight updates apply across the board on all Windows versions," said Wolfgang Kandek, CTO of Qualys, commenting on the patch to come. "They are examples of this increasingly used type of flaw, where attackers and malware go through the installed applications, rather than through the core operating system."

Of the 14 bulletins, 10 address remote code execution (RCE) flaws with the rest designed to stave off elevation-of-privilege vulnerabilities. All told, the patches will cover 34 vulnerabilities.

Microsoft Sets a New Record
Jason Miller, data and security team leader at Shavlik Technologies, said that a clear pattern is emerging here.

"A heavy month was expected because it appears that Microsoft is typically going light-heavy-light [in its patch cycle]," Miller said.

Microsoft last hit a peak back in February, when it released 13 patches. However, the 34 vulnerabilities expected in this month's patch will simply match the high last set in June.

"For those who keep track of such things, this will be the most bulletins we have ever released in a month," said Microsoft Security Response Center spokesperson Angela Gunn. "We have released 13 bulletins on a couple of occasions. However, in total CVE count, this release ties with June 2010, so there's no new record there."

IT pros may have barely had time to blink. Microsoft released an out-of-band patch on Monday for a critical vulnerability in the Windows Shell that can be used to spread malware through shortcut files. The flaw has been associated with the Stuxnet worm and other malware. It affects supported Windows operating systems, as well as Windows XP Service Pack 2, which no longer gets security patches from Microsoft.

"While it's of grave concern to deal with the high volume of critical patches, even more concerning is the recent Stuxnet activity," said Paul Henry, security analyst at Lumension. "It is also equally important to note that Microsoft makes no mention of the emergency patch issued earlier this week around Windows XP Service Pack 2 that will continue to affect XP users."

Critical Fixes
The first two critical fixes are Windows OS-level patches and touch every supported version. Meanwhile the third critical patch only affects XP, Vista and Windows Server 2003.

The fourth critical item is yet another cumulative Internet Explorer patch. It covers IE 6 through IE 8 on every supported operating system.

Critical patches No. 5 and 6 are Windows patches as well, with No. 5 touching every supported OS and No. 6 only covering XP, Vista and Windows 7.

The seventh critical patch is a fix for Microsoft Office. Microsoft Word is affected -- both the processing app and viewer programs. The patch affects Word in Office XP, Office 2003, and 2007 Microsoft Office System Service Pack 2. Additionally Office 2004, 2008 and Open XML File Format Converter for Mac are covered as well.

The eighth and final critical item on the slate pertains to Microsoft Silverlight, the Web multimedia application. This month, there are RCE exploits affecting Silverlight 2 and Silverlight 3.

Important Fixes
All of the important fixes, except for one, are Windows OS-level patches and are a mixed bag, containing two RCE exploit considerations and four elevation-of-privilege vulnerabilities.

The first important item covers every Windows OS except Windows Server 2003, while the second important bulletin affects every supported Windows OS. Important item No. 3, meanwhile, only covers XP and Vista.

The fourth important patch covers the popular Office spreadsheet app Excel. The patch affects Office XP, Office 2003, and 2007 Microsoft Office System Service Pack 2. On the Mac side of things, Office 2004, 2008 and Open XML File Format Converter for Mac are also included.

The remaining two important items are Windows patches covering only Vista, Windows 7 and Windows Server 2008.

All 14 patches may require a restart.

If there is any time left over, Windows IT administrators can peruse this Knowledge Base article for nonsecurity updates. The updates are delivered via Windows Server Update Services, Windows Update and Microsoft Update services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Sun, Aug 15, 2010

Anyone who is tired of Windows can build something better, right? Personally, I don't mind the continual updates, so what Windows has to restart once in a while. I remember when Windows had to restart all the time, for the least little thing. Far as I’m concerned Microsoft is on the cutting edge of software design. No one does it better (sounds like a song, opps). Let’s not forget if it wasn’t for vandals and thieves there would be no need to worry about virus’ and backdoor worms.

Wed, Aug 11, 2010 SysAdmin Iowa

Well, I agree that its a complex system but at the same time, i fail to understand why Microsoft has to keep games, multimedia, and other similar desktop components which not only are susceptible to potential security flaws but would also get installed by default, as part of the server OS for such a long time. Were they too difficult to be stripped from server OS during the development time? And doesn't it show laziness on MS part?

Sun, Aug 8, 2010 Pittsburg, CA

Terka, WA -- when you develop a large application that is truly error free, you will have the right to bad mouth those who merely correct their known errors. Since I have never heard of any such large application ever being built, I suggest you restrain yourself some. Be ahppy we have a vendor that is really interested in fixing errors. I can recall being told by IBM that the faulty basic format function wasn't a problem because nobody programmed business applications in basic -- baloney.

Fri, Aug 6, 2010

net framework 1 security downloaded but never installed on both my computers, XP pro. Why BOTH computers. Seems like you should some type of patch or rectify this as everytime I use Micro update it says its downlded but NEVER installs.

Fri, Aug 6, 2010 Terka WA

Develop and fix later - this must be motto. It could be legacy - but complexity is growing with not too much value added. Like monster cars from General Motors - too big to fall. This is NOT dilligence - but MS design laziness/incompotence.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.