Microsoft Preparing 'Ugly' Security Patch on Tuesday -- Redmondmag.com

Microsoft Preparing 'Ugly' Security Patch on Tuesday

By Jabulani Leffall
04/08/2011

Windows security experts had been expecting a large April security update after last month's thin offering, and Microsoft's advance notice appears to meet those expectations -- and then some.

Microsoft announced today that it plans to roll out 17 patches on Tuesday in its monthly security update, with nine fixes deemed "critical" and eight considered "important." Remote code execution (RCE) attack risks dominate April's slate, as 15 of the 17 security bulletins address those considerations. Two security bulletins point to information disclosure and elevation-of-privilege threats.

"No matter how you look at it, it's ugly," said Paul Henry, forensic and security analyst at Lumension. "We're well into a new year and things have not improved. In fact, they've gotten worse."

Critical Fixes
The first critical security bulletin appears to be the long-awaited cumulative fix for Internet Explorer. It will address every supported Windows operating system and covers IE 6, 7 and 8 browsers.

The remaining eight critical security bulletins are all Windows OS-level fixes with RCE exploit risks. Critical security bulletin No. 6 also includes a fix for Microsoft Office.

Important Fixes
The important security bulletins are a hodgepodge of updates that affect various programs, including Office and development tools, along with Windows. Word, Excel and PowerPoint are all in the patch crosshairs for the month of April.

All 17 updates may require restarts. With the growth of vulnerabilities and patches, it may be helpful to some Windows IT pros to check out the newly released Microsoft Security Update Guide. It's an aid for keeping track of patches and evaluating threat risks.

The recent expansion in the number of Microsoft's security bulletins comes from a spike in vulnerabilities affecting third-party software designed to run on Windows or that users with Windows systems download, Henry explained.

"All of this is further evidence that our methods of securing our systems just aren't up to par," Henry said. "Again and again, Microsoft falls victim to third-party software causing a major breach. Everyone blames Microsoft month after month for patching issues, but this is not just a Microsoft issue. Unless we're going to get busy patching this garbage we're installing on our systems, it's going to continue to be an issue."

In the meantime, administrators can check out this Knowledge Base article for information about nonsecurity updates being pushed out via Windows Update, Microsoft Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.