News

Biggest Microsoft Security Patch Arriving Tuesday

• By Jabulani Leffall
• 08/05/2010

So much for the dog days of summer, at least when it comes to Windows security.

Microsoft announced today that it plans to release an eye-popping and record-breaking 14 patches for this month's security update. Tuesday's patch will contain eight "critical" items and six "important" items, according to Microsoft's advance notice.

The August security update will cover a wide swath of Microsoft products, including Windows, Internet Explorer, Office and Silverlight multimedia software.

"Internet Explorer, Office and Silverlight updates apply across the board on all Windows versions," said Wolfgang Kandek, CTO of Qualys, commenting on the patch to come. "They are examples of this increasingly used type of flaw, where attackers and malware go through the installed applications, rather than through the core operating system."

Of the 14 bulletins, 10 address remote code execution (RCE) flaws with the rest designed to stave off elevation-of-privilege vulnerabilities. All told, the patches will cover 34 vulnerabilities.

Microsoft Sets a New Record
Jason Miller, data and security team leader at Shavlik Technologies, said that a clear pattern is emerging here.

"A heavy month was expected because it appears that Microsoft is typically going light-heavy-light [in its patch cycle]," Miller said.

Microsoft last hit a peak back in February, when it released 13 patches. However, the 34 vulnerabilities expected in this month's patch will simply match the high last set in June.

"For those who keep track of such things, this will be the most bulletins we have ever released in a month," said Microsoft Security Response Center spokesperson Angela Gunn. "We have released 13 bulletins on a couple of occasions. However, in total CVE count, this release ties with June 2010, so there's no new record there."

IT pros may have barely had time to blink. Microsoft released an out-of-band patch on Monday for a critical vulnerability in the Windows Shell that can be used to spread malware through shortcut files. The flaw has been associated with the Stuxnet worm and other malware. It affects supported Windows operating systems, as well as Windows XP Service Pack 2, which no longer gets security patches from Microsoft.

"While it's of grave concern to deal with the high volume of critical patches, even more concerning is the recent Stuxnet activity," said Paul Henry, security analyst at Lumension. "It is also equally important to note that Microsoft makes no mention of the emergency patch issued earlier this week around Windows XP Service Pack 2 that will continue to affect XP users."

Critical Fixes
The first two critical fixes are Windows OS-level patches and touch every supported version. Meanwhile the third critical patch only affects XP, Vista and Windows Server 2003.

The fourth critical item is yet another cumulative Internet Explorer patch. It covers IE 6 through IE 8 on every supported operating system.

Critical patches No. 5 and 6 are Windows patches as well, with No. 5 touching every supported OS and No. 6 only covering XP, Vista and Windows 7.

The seventh critical patch is a fix for Microsoft Office. Microsoft Word is affected -- both the processing app and viewer programs. The patch affects Word in Office XP, Office 2003, and 2007 Microsoft Office System Service Pack 2. Additionally Office 2004, 2008 and Open XML File Format Converter for Mac are covered as well.

The eighth and final critical item on the slate pertains to Microsoft Silverlight, the Web multimedia application. This month, there are RCE exploits affecting Silverlight 2 and Silverlight 3.

Important Fixes
All of the important fixes, except for one, are Windows OS-level patches and are a mixed bag, containing two RCE exploit considerations and four elevation-of-privilege vulnerabilities.

The first important item covers every Windows OS except Windows Server 2003, while the second important bulletin affects every supported Windows OS. Important item No. 3, meanwhile, only covers XP and Vista.

The fourth important patch covers the popular Office spreadsheet app Excel. The patch affects Office XP, Office 2003, and 2007 Microsoft Office System Service Pack 2. On the Mac side of things, Office 2004, 2008 and Open XML File Format Converter for Mac are also included.

The remaining two important items are Windows patches covering only Vista, Windows 7 and Windows Server 2008.

All 14 patches may require a restart.

If there is any time left over, Windows IT administrators can peruse this Knowledge Base article for nonsecurity updates. The updates are delivered via Windows Server Update Services, Windows Update and Microsoft Update services.