News

Microsoft Delivers Record-Breaking October Patch

• By Jabulani Leffall
• 10/12/2010

Microsoft broke its own patch delivery record again with the release today of its October security update.

While 2008 and 2009 were both heavier patch years than all previous years, with 78 and 74 respective total patch counts, this year's count is already up to 86. And it's only October.

Redmond rolled out 16 security bulletins in this month's patch, with four items deemed "critical" and 10 considered "important." In a rare addition, two "moderate" security items were also released.

The volume of security bulletins issued this month reflects Microsoft's engagement with the research community, according to Jason Miller, data and security team leader at Shavlik Technologies.

"There are a couple of factors that are coming into play for this," Miller explained. "First, Microsoft is the grandfather of patching and has spent years refining their process to develop the mature patching process we see in the modern era. Second, Microsoft is working closer than ever with security researchers in their Coordinated Vulnerability Disclosure (CVD) program."

By working with researchers, Miller said Microsoft is closing the gap on the time to release fixes for vulnerabilities found. With that, we should expect an "uptick in security bulletins," according to Miller.

This month's slate includes 10 remote code execution (RCE) patches. The other patches address three elevation-of-privilege risks, one information disclosure threat, one tampering flaw and one denial-of-service item.

Joshua Talbot, who manages security intelligence at Symantec Security Response, said the vulnerability count for RCE risks is one of the most notable things about the October slate.

"By our count, 35 of the issues fall into this category," he said. "These are bugs that could allow an attacker to run any command they wish on vulnerable machines."

Critical Items
The first critical item is a cumulative fix for Internet Explorer, touching IE 6, 7 and 8 on every supported operating system. It resolves seven privately reported vulnerabilities and three publicly disclosed vulnerabilities in IE.

Critical item No. 2 addresses a hole in the Microsoft Windows Media Player network sharing service. This item will only affect systems running Windows Vista and Windows 7

The next critical item fixes a vulnerability in a Microsoft Windows component, the Embedded OpenType Font Engine.

The fourth and final critical item resolves a bothersome hole in Microsoft's .NET Framework. Microsoft explained that this vulnerability could allow remote code execution on a client system "if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs)."

Important and Moderate Items
The first important item corrects a vulnerability that could allow information disclosure "if an attacker submits specially crafted script to a target site using SafeHTML." This security fix applies to SharePoint Services 3.0, Microsoft Office SharePoint Server 2007, Microsoft Groove Server 2010 and Microsoft Office Web Apps.

Windows kernel-mode drivers on every supported OS release are addressed in the second important item.

Two privately reported vulnerabilities in the Windows OpenType Font format driver are addressed in important item No. 3.

The remaining important items affect Word, Excel, Windows Media Player, Windows Common Control Library, Windows Shell, Windows Server Local Call Procedure and SChannel.

Microsoft Foundation Class and Windows Shared Cluster are at the center of the two moderate patches.

Both the moderate patches and most of the important patches affect every supported Windows OS. Notable exceptions are important fixes No. 4 and No. 8, which will only affect Windows XP and Windows Server 2003. Additionally, important items No. 9 and No. 10 only affect Vista, Windows 7 and Windows Server 2008.

During this hectic week, all 16 patches may require restarts.

IT pros with any time left can check out this Knowledge Base article for information on nonsecurity updates via Windows Server Update Services, Windows Update and Microsoft Update.

Meanwhile, Andrew Storms, director of security at nCircle, predicts that Microsoft's total patch count for this year could very well reach or eclipse 100 security bulletins.

"It seems quite possible that Microsoft will hit the triple-digit mark for bulletins in 2010," he said. "With today's patch, 86 bulletins have already been released so far this year. Another 14 bulletins over the next two months seem more than likely."