Security Watch

Summer Winds Blow In Record Number of Security Fixes

Plus: Adobe readies Reader patch; Google engineer may get formal recognition for Windows flaws.

• By Jabulani Leffall
• 08/09/2010

Coming into the week, anybody following security knows patch installation will be epic for August, with the count at 14. It's the largest rollout ever, and it ties a record for the most vulnerabilities ever at 34 bugs, capped off with the out-of-band patch for a Windows shortcut flaw released earlier in the month. [Editor's note: This article has been updated from its original posting to reflect new information.]

Microsoft confirmed Monday it was investigating reports and working on a possible solution of a possible zero-day vulnerability in the Windows Kernel. This comes from Jerry Bryant, group manager for Microsoft Response communications.

"Upon completion of the investigation, Microsoft will take appropriate actions to protect customers," he said in a statement Monday. These "actions," of course, may include one or more out-of-band patches before August is over.

The new investigation that we know about so far comes from Danish security firm Secunia, which put out a security advisory last week saying a boundary error in Win32k.sys can be exploited via the "GetClipboardData" application programming interface (API). An exploit can cause a buffer overflow and enable elevation of administrative privileges on Windows 7, Windows XP SP 3 and Windows Server 2008 SP2.

Heavy Patching in 2010
After Tuesday, the patch count for the year will be 60. In eight months, there have been three off-cycle patches and four of those months (February, April, June and now August) have seen double-figure patching.

"For those who keep track of such things, this will be the most bulletins we have ever released in a month," said Microsoft Security Response Center spokesperson Angela Gunn, referring to last week's advanced notification.

Jason Miller, data and security team leader at Shavlik Technologies, says a couple of factors are coming into play for the increased number of bulletins in 2010.

"First, we need to take a look at the number of products that are currently supported by Microsoft," he said. "There are more operating systems supported now by Microsoft than ever before. Recently, Microsoft has released Windows Vista, 7, 2008 and 2008 R2. These operating systems have bulletins that only affect them as they are introducing features."

Miller adds that there are more and more security researchers looking for vulnerabilities for both good and bad purposes. With the increase in researchers out there, Microsoft has to step up the pace of fixes, he said.

Reader Patch Is Up Next
Adobe Systems is readying a patch of its own for the week of August 16, according to a security advisory. This will be an out-of-band patch for a PDF vulnerability in its Acrobat Reader software.

The advisory says the patch will cover Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, "including CVE-2010-2862 which was discussed at the Black Hat USA 2010."

Like other remote code execution bugs, the vulnerabilities in question, if triggered would allow hackers the ability to take control of a vulnerable system via a corrupt PDF file.

Google Engineer Brags
Tavis Ormandy, a top security engineer for Microsoft rival Google Inc., said on the micro-blogging social network Twitter that he would be recognized for discovering and disclosing four of the 34 total vulnerabilities in Redmond's August patch slate.

Ormandy is credited with first disclosing the bug in Windows' Help and Support Center to Microsoft. Controversy around the disclosure arose when Ormandy said he took the bug public five days after telling Microsoft because Redmond wouldn't give him a date that they planned to patch the issue.

Microsoft has not yet confirmed that Ormandy would be formally recognized on Tuesday.