February Gets Unlucky Number of Patches
Microsoft is set to unload 13 patches this month. Plus: support clock is ticking for some Microsoft products; Adobe apologizes for old bug.
Microsoft's Patch Tuesday rollouts have broken several records several times in the past six months. February will break another record with 13 patches.
The one bit of good news is that the Microsoft Office suite doesn't have any critical patches for it. But security experts and enterprise admins still face a formidable group of exploits to patch. And every single update will require a restart.
One security pro said it's "imperative to plan ahead this month" and think about how the patches should be deployed based on an organization's needs and priorities.
"IT teams managing servers will definitely need to be on high alert this month and have proactive patching plans in place prior to Tuesday," said Don Leatham, senior director of solutions and strategy for Lumension. "They are facing critical patches for the three most common server platforms in Microsoft environments, including Windows Server 2003 with three critical vulnerabilities, Windows Server 2008 with two critical vulnerabilities, and Windows 2008 R2 with two critical vulnerabilities."
Security Support Ending for Vista RTM, Windows 2000, XP
Speaking of patches, Jerry Bryant, a senior manager with the Microsoft Security Response Center, said in February's advanced bulletin that Redmond will drop security support for the release-to-manufacturing (RTM) version of Vista after April's Patch Tuesday. That means Microsoft will no longer provide security updates for Vista RTM after that month's patch release.
Support for other Windows programs such as Windows 2000 and XP SP2 will end in July. Incidentally, XP and Windows 2000 are the operating systems most affected by the critical patches in February's slate; the OSes have five critical patches each.
Adobe: Sorry About 16-Month-Old Bug
Adobe, which has had no shortage of bugs to patch, found itself apologizing over the weekend for yet another bug.
This time, Adobe issued a mea culpa for a non-malware "crash" glitch in its Flash Player program. Apparently, the bug hasn't been patched for 16 months after first being identified by security researcher Matthew Dempsky. Dempsky now has a "Flash crash" site to explain the problem, about which he says he first contacted Adobe in September 2008.
"We picked up the bug in question as a crasher when it was filed on September 22, 2008, and were able to reproduce it," wrote Emmy Huang in the Adobe blog post. "Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch."
The mistake, Huang admitted, came when Adobe said it would patch the bug in its next release, which was the yet-to-be released Flash Player 10.1. So Adobe let the bug remain unfixed instead of scheduling a patch for it in the "Flash Player 10 security dot release."
"We should have kept in contact with the submitter [of the exploit code] and to let him know the progress. Sorry we did not do that," Huang said.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.