News

Microsoft To Deliver Massive Security Patch on Tuesday

• By Jabulani Leffall
• 12/09/2010

Microsoft today promised that a hefty December security update will arrive next week.

December's massive patch, scheduled to arrive on Tuesday, will seal 2010 as the year with the most vulnerabilities and security updates since the inception of Microsoft's Patch Tuesday event. The bad news for IT pros comes wrapped up in an advance notification, announced today.

Microsoft plans to release an astounding 17 patches this month. Two of the security bulletins are deemed "critical." Next, there will be 14 "important" patches to contend with, followed by a lone "moderate" patch.

"It is enough that IT administrators are addressing the current denial-of-service attacks surrounding WikiLeaks where anyone could very quickly become a target," said Paul Henry, security and forensic analyst at Lumension. "But now organizations also have to address this mid-sized disruptive Patch Tuesday from Microsoft with 17 bulletins, which all do or may require a restart."

Remote code execution (RCE) attacks top the list of considerations in this month's patch, with 10 security bulletins addressing the risk. Other risks targeted in this patch include denial-of-service attacks and elevation-of-privilege concerns. The main products to be patched include Windows, Microsoft Office, SharePoint, Exchange and Internet Explorer.

Critical Fixes
The first critical security bulletin appears to be a cumulative update for IE, the world's most widely used Web browser. The fix affects most versions, including IE 6, 7 and 8.

A cumulative fix for IE may be sorely needed. Verizon researchers recently said they had discovered "a previously undisclosed vulnerability" in the browser that allows attackers to bypass the Protected Mode in both IE 7 and IE 8. Microsoft also faced a holdover issue from last month that was described in this security advisory.

That's two outstanding issues affecting multiple versions of IE. As the year comes to a close, it looks like Redmond will be patching both of those flaws in this wide-ranging security update.

The second and final critical item will be a Windows patch that touches every supported Windows operating system.

Important and Moderate Fixes
The 15 important security bulletins expected next week describe multiple Windows operating systems, but Microsoft's patch support will only be for OSes it still supports.

SharePoint and Office, particularly Microsoft Publisher, are the other software products that will be affected in the important group of security bulletins. Microsoft plans to provide more details on Tuesday.

Meanwhile, the lone moderate patch will deal with Microsoft Exchange.

All patches may require a restart.

Also, Microsoft will be rolling out nonsecurity updates via its Windows Server Update Services (WSUS), Windows Update and Microsoft Update services. Details about those updates can be found here.