Patch Tuesday Will Be Busy for IT Pros
Microsoft's regular monthly advance security bulletin was released as expected Thursday, and from the look of things, June will be a busy one for Windows IT pros.
The advance notification shows Microsoft will be planning to roll out 16 fixes in all, with nine deemed "critical" and seven labeled "important."As usual, remote code execution (RCE) considerations represent the predominant risk, being associated with 10 of the bulletins. Other concerns to be addressed will be elevation of privilege, information disclosure and denial of service, clocking in at two each in the upcoming June patch.
"It's clear that Microsoft is back to its typical practice of being very disruptive on Patch Tuesday," said Paul Henry, forensic and security analyst at Lumension. "This will be a long hot summer for IT professionals and there is just no room to slow down."
All of the forthcoming critical fixes will attempt to address potential RCE attacks. The first critical bulletin will be a Windows operating system-level patch affecting every supported Windows OS.
The second critical bulletin will touch the Microsoft .NET Framework and Microsoft Silverlight on every supported Windows OS as well.
Critical bulletin No. 3, meanwhile, will attempt to bring greater security to Microsoft Forefront Threat Management Gateway 2010, specifically, the client application.
Critical bulletins Nos. 4, 5 and 6 will be Windows OS-level patches touching every supported release. Likewise, critical patch No. 7 will be an all-encompassing Windows OS patch centered on .NET architecture on every supported OS in Redmond's repertoire.
The last two critical items (bulletins 8 and 9) will provide comprehensive fixes for Internet Explorer Web browsers. Critical item No. 8 will be a cumulative patch for IE 6, 7 and 8. Critical item No. 9 will be a more granular update for IE 6, 7 and 8 on Windows XP.
The first important item in the June patch will provide an information disclosure fix for all supported Windows OSes.
Next up will be a wide-ranging RCE fix for Microsoft Office. This second important fix will be focused primarily on addressing a flaw in Microsoft Excel. However, the Microsoft InfoPath forms creation program also will be addressed by this bulletin.
The third important item will be a Windows fix addressing all Microsoft-supported iterations.
Important security bulletins Nos. 4 and 5 will be designed to prevent denial-of-service attacks. One will touch Windows Server 2008 only, while the other will affect Windows Vista, Windows 7 and Windows Server 2008.
SQL Server, Visual Studio and InfoPath will be addressed by the sixth important fix. InfoPath 2007 and 2010 are the versions that Microsoft plans to fix. For the SQL part of the fix, security and database administrators should take notice, as the bulletin cuts a wide swath of service packs and versions spanning the SQL Server 2005 and SQL Server 2008 releases.
The last important patch on the slate will be an elevation-of-privilege fix for Windows components, but it will only affect Windows Server 2003 and 2008.
Security experts say that in light of a very heavy rollout, IT and security admins should be checking Microsoft's exploitability index. It will help them see how the security bulletins will affect their critical systems.
"All in all, this is a big update," said Wolfgang Kandek, CTO at Qualys. "And system administrators will need to plan closely as both workstations and servers are affected by the critical bulletins. In addition applications such as Excel, Adobe Reader and Java will have to be taken into account this month."
Those prospects will likely keep IT pros busy this month, but there's more. All of Microsoft's June security updates may require a system restart.
If any time is left, Microsoft once again invites IT pros to check out changes to the Windows Update and Windows Server Update Services in this Knowledge Base article.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.