News

Tuesday's Patch Will Be a Windows Wash

• By Jabulani Leffall
• 02/04/2010

Microsoft today signaled that a hefty batch of security fixes will arrive on Tuesday.

Microsoft's has tended to break its own records of late. In the past six months, Patch Tuesdays have seemed more like "Fat Tuesdays," at least in terms of the volume of fixes contained in the monthly patch. February's patch looks to be no different. According to Microsoft's advance notice, it will contain 13 fixes -- five "critical," seven "important" and one "moderate" fix.

"This amount of bulletins make this the busiest February we've seen from Microsoft, with only four [seen in February of] last year and an average of 11 to 12 [bulletins seen] in the three years prior," said Sheldon Malm, senior director of security strategy at Rapid7.

"All eyes will be on Internet Explorer, given last month's out-of-band update and the current zero day [bug] affecting older versions and instances where Protected Mode is disabled."

Critical Items
The five critical security fixes will be targeted toward most Windows operating systems, according to Microsoft's advance notice. Every fix will be associated with remote code execution (RCE) security implications across several as-yet-unspecified Windows components. The most pressing Windows component so far this year from a security perspective has been Internet Explorer, expert say.

While the critical fixes apply across most Windows OSes, there will be a couple of exceptions. Critical patch No. 2 will not affect Vista, Windows 7 or Windows Server 2008. Critical patch No. 4 only touches on Vista and Windows Server 2008.

Important Items
The seven important items will be a mixed bag of RCE, elevation-of-privilege and denial-of-service exploit patches affecting both Windows components and Microsoft Office applications. Every supported Windows OS is affected in some form or another.

For the Office fixes, only Office apps sitting on Office XP, Office 2003 and Office 2004 for Mac will be affected.

Moderate Item
The lone moderate fix will only touch on the Windows 2000 and Windows XP operating systems as a patch for an RCE exploit.

It will be a busy day next Tuesday if the advance notice is any indication. Security experts anticipate no less than 20 vulnerabilities targeted in the February patch. All 13 security items may require a system restart.

"None of the operating systems escaped this month's updates. Even the latest versions of Windows have been hit hard this month, with six updates for Vista, eight for Server 2008, and five for Server 2008 R2 and Windows 7," Malm said in reference to the advance bulletin. "I won't be surprised if Microsoft is playing catch-up on some lingering vulnerabilities from last year."

If any IT administrators still have time for nonsecurity updates, they can check out this Knowledge Base article. It describes updates arriving via Windows Update, Microsoft Update and Windows Server Update Service.