Last month's Patch Tuesday was a record-shattering affair. Microsoft delivered 14 security bulletins covering 34 vulnerabilities in its software. On account of the sheer size of the last Patch Tuesday, it would only be fair to expect the next one to address a considerably smaller number of issues. Moreover, Microsoft usually delivers relatively fewer security updates during odd-numbered months like this one.
However, the company will be releasing nine security updates covering 13 vulnerabilities in Windows, Office and its IIS web server software on September 14, 2010 – twice as many as the maximum during an odd-numbered month so far this year.
Although surprised by the unexpectedly large number of security bulletins, analysts believe the large number could be due to the “DLL load hijacking” vulnerability. According to some estimates, the bug affects hundreds of Windows applications. Four out of the nine security bulletins are rated “critical” with all the rest being labeled “important.”
Not a whole lot is being planned for this month's Patch Tuesday, just a couple of relatively low-key updates to Windows and Office, Microsoft says. According to at least one security researcher, this is on par with Microsoft's modus operandi.
"It's the predictable off month for Microsoft," said Andrew Storms, the director of security operations with nCircle Security. "That's all within the predictable pattern they've created."
Storms says Microsoft frequently alternates large and small sized updates, and since the software maker issued some 11 security updates in April to fix 25 flaws, it's no surprise that this month is much less ambitious.
The single security fix for this Tuesday is considered "critical" for Windows 2000, XP, Vista, Server 2003, and Server 2008, and "important" for Windows 7 and Server 2008 R2.
"Windows 7 and Windows Server 2008 R2 customers will be offered the Windows-related update but they are not vulnerable in their default configurations," said Jerry Bryant, a security program manager, in an entry on the Microsoft Security Response Center (MSRC) blog.
It's a good thing most of use have long since moved on from dial-up, because come Tuesday, Microsoft said it will send out its largest-ever number of security updates to fix and plug holes in every version of Windows, including the first update for Windows 7 RTM. Internet Explorer, Office, SQL Server, Forefront Security client, and some developer tools will also be in the mix.
"Thirteen is not a lucky number," said Andrew Storms, director of security operations at nCircle Network Security, in response to the monster update scheduled for October 13. "They've been a busy bunch at Microsoft, that's for sure."
Microsoft will ship 13 updates in all next week, eight of them considered critical. That's enough to break the record of 12 updates shipped in February 2007 and October 2008.
Five of the updates will affect Windows 7, even though the OS has yet to formally launch. However, enterprises with volume licenses, party hosts, and others have been able to obtain and run the finalized the OS for awhile now.
June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."
Users of Windows 2000 SP4 through Windows Vista SP2 (and holdouts still running Windows 7 Beta), Microsoft Office 2000, 2003, or 2007; Microsoft Office for MacOS 2004 and 2008, Microsoft Works 8.5 and 9, and IE5.01 through IE8 users have some work to do before heading off on vacation, as do users of Adobe Reader and Acrobat 7.x, 8.x and 9.x. To find out what's being changed - and why - join us after the break.
Today, Microsoft released a trio of security bulletins covering all currently-supported Windows versions. Users of Windows 2000 SP4 through Windows Vista SP1 (as well as Windows Server 2003 and 2008) need to install the update for the critical Windows kernel vulnerability noted in Security Bulletin MS-09-006. The other two bulletins (MS09-007 and MS09-008) solve important vulnerabilities in SChannel (007) and DNS/WINS Server (008); these bulletins apply to Windows 2000 SP4 through Windows XP and Server 2003 only.
Other updates to look for include the usual updates to the Malicious Software Removal Tool and the Windows Mail junk email filter. If you're on Automatic Updates, follow instructions to reboot if needed after installation. If you prefer to be in charge, don't forget to download and install these as soon as possible.
Whether you're using Windows and IE, managing Microsoft Exchange or SQL Server at work, or using Microsoft Office, this month's Patch Tuesday has a security update for you. All four security bulletins address Remote Code Execution vulnerabilities in recent and current service packs for each product listed:
IE 7: Windows XP, Windows Vista, Windows Server 2003
Microsoft Office: Visio 2002, 2003, 2007
SQL: SQL Server 2000 Desktop Engine on Windows 2000 and Windows Server 2003; Windows Internal Database (WYukon) on Windows Server 2003 and Windows Server 2008; SQL Server 2000 and SQL Server 2005
Exchange Server: Exchange 2000 Server, Exchange Server 2003, Exchange Server 2007
But Wait, There's More!
Other updates to be released tomorrow include:
Cumulative Update for Windows Vista Media Center (KB960544)
Cumulative Update for Windows Vista Media Center TVPack (KB958653)
Upgrade Rollup for ActiveX Killbits for Windows (KB960715)
February 2009 updates for Windows Mail Junk Email Filter (KB905866) and Windows Malicious Software Removal Tool (KB890830)
Not even a moment after Microsoft fixed 28 vulnerabilities in their software this past Patch Tuesday, a brand new exploit popped up in Internet Explorer 7.
The new exploit allows attackers the ability to execute arbitrary code whenever someone visits a malicious website. Currently only users running Windows XP and Server 2003 are being targeted, so you Vista users haven’t a thing to worry about. Microsoft said they’re currently working on a patch to fix the issue, but they were unable to set a date.
“Internet Explorer remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be across any site on the Internet,” said eEye's director of Research and Preview Services, Andre Protas. “An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.”
Until this issue is taken care of, those of you that are using IE7 can go and snag eEye’s Blink Software for protection from this threat. Or, you could go snag one of the other browsers, such as Mozilla’s Firefox or Google’s Chrome. I hear they’re not too shabby!
Microsoft’s last Patch Tuesday of 2008 is on its way, and it’s bringing a heavy amount of updates that you’ll want to be ready for.
Yesterday Microsoft announced a whopping eight security bulletins that will be going public on December 9th. The announcement was meant to allow IT departments some prep time before the post-Monday patch fiasco. Six of the bulletins have been listed as “critical” with two posted up as “important.”
Of the patches, two of them are meant directly for Windows itself. The others are for the separate applications of Microsoft’s Office suite.
This month's Patch Tuesday, unlike October's, is a quiet one, with just two security bulletins:
MS08-069 solves a remote code execution vulnerability in Microsoft's XML Core Service that is rated as Critical for version 3.0 and Important for later versions. All 32-bit and 64-bit desktop versions of Windows from Windows 2000 SP4 through Windows Vista SP1 are affected, as well as Microsoft Office 2003 and 2007. The Exploitability Index is 1 (Consistent Exploit Code Likely - the most serious ranking) or 2 (Inconsistent Exploit Code Likely), depending upon the version of XML Core Services installed. Windows Server 2003 and some installations of Windows Server 2008 are also affected.
MS08-068 patches a remote code execution vulnerability in the SMB protocol. MS08-068 is rated as Important for Windows 2000 SP4 and Windows XP, and Moderate for Windows Vista. Windows Server 2003 and all Windows Server 2008 installations are also affected. Despite Microsoft's rating this vulnerability as only Important rather than Critical, MS08-068's Exploitability Index is 1 because exploit code targeting Windows XP is already public.
That's it for Patch Tuesday security bulletins, both of which will be arriving soon via Windows Update (or can be downloaded manually if you prefer). What else has Microsoft served up?
The only non-security content this time is the usual monthly update for the Malicious Software Removal Tool (KB890830; not yet updated as this article was posted now updated) and the usual monthly update for the Windows Mail junk mail filter (KB905866), available in 32-bit and 64-bit versions.
Redmond usually releases security patches once a month, on Patch Tuesday, but Microsoft's security experts are worried enough about a newly reported vulnerability in the Server service to post an "out-of-band" security update, MS08-067, yesterday for all versions of Windows from Windows 2000 SP4 through Windows Server 2008 and Windows 7 pre-beta. Microsoft hasn't issued a security update between Patch Tuesday releases since April 2007, so this is a significant security issue.
Although all supported versions of Windows are vulnerable, Windows 2000 SP4, Windows XP, and Windows Server 2003 versions are especially vulnerable to this flaw, which can permit remote code execution via a specially crafted RFC request.
To find out what makes this vulnerability so critical, and to learn how to get the update, join us after the jump.