Microsoft plans gigantic Patch Tuesday next week
Microsoft said it will deliver 10 security updates next week to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office, and SharePoint.
The patches will also quash two bugs that Microsoft acknowledged in February and April.
“I’d actually call this a moderate month,” said Andrew Storms, director of security operations at nCircle Security. “Looking at the criticality of the bulletins, and the fact that the number [of bulletins] is low, it doesn’t look like a huge month to me.”
By the numbers, however, next week’s updates will be huge. Although the 10 updates fall short of the record of 13 — first set in October 2009, then repeated in February 2010 — Microsoft will fix a total of 34 vulnerabilities, the same number as the current record, also set last October.
Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In May, for example, the company issued just two bulletins that patched two vulnerabilities. April’s collection, meanwhile, amounted to 11 bulletins that fixed 25 flaws.
The monthly advance notification spelled out the patches expected to appear next Tuesday.
Of the 10 updates, Microsoft labeled three as “critical,” the highest threat ranking in the company’s four-step system. The seven remaining patches have been pegged as “important,” the next step down from critical. Two of the three critical updates will address issues in Windows, while the third will tackle Internet Explorer (IE).
All six updates affecting Windows will impact Microsoft’s newest operating system, Windows 7. And with one exception — Windows 2000 and Windows XP will not need Bulletin 9 — all currently-supported versions of Windows will require all the patches.
“There’s no safe harbor this month,” said Storms.
The IE update applies to IE6, IE7 and IE8, and was ranked critical for all three versions for Windows XP, Windows Vista and Windows 7. However, the oldest still-supported version of the browser — IE 5.01 on Windows 2000 — is not affected by the flaw(s).
“The IE update will be at the top of the [to-do] list next week,” bet Storms.
Microsoft has gotten into the habit of patching its browser every other month; it last updated IE in late March when it rushed out an emergency fix for a zero-day bug. That update, however, had been meant to ship in April.
Another update will patch one or more vulnerabilities in Excel 2002, 2003 and 2007 on Windows, and Excel 2004 and 2008 on the Mac. Excel 2010, the spreadsheet included in the just-released-to-businesses Office 2010 suite, does not contain the bug and will not need a patch, confirmed Jerry Bryant, a general manager with the Microsoft Security Response Center (MSRC), in an e-mail today. Other updates will close out a pair of flaws that Microsoft confirmed in two earlier security advisories. The oldest warning was issued in February, and noted that hackers could exploit IE on Windows XP to read every file on a victim’s PC. That fix will presumably be one of several included in the IE update.
Microsoft will also patch a problem in SharePoint Server 2007 that it publicized in April. The zero-day bug could be used by attackers to steal companies’ confidential information.
NCircle’s Storms said another update to watch is the one Microsoft identified today only as Bulletin 3; the update will affect all versions of Windows, but was rated critical for Windows 2000, XP, Vista and Windows 7. The server-side operating systems, however, were ranked as “moderate.”
“That tells me it’s something on the client side,” said Storms. “It’s critical, and should be patched as fast as Internet Explorer next week.”
Tuesday’s updates will be the second-to-last for Windows 2000 and Windows XP Service Pack 2 (SP2), both which will be retired from security support in mid-July.
Microsoft will release the 10 updates at approximately 1 p.m. ET on June 8.