Microsoft slates colossal Windows patch next week

Ties record with 13 security updates, plans to fix 26 bugs in Windows, Office

Microsoft today said it will deliver a record-tying 13 security updates on Tuesday to patch more than two dozen vulnerabilities in Windows and Office.

The company will ship a total of 13 updates next week, five of them pegged "critical," the highest threat ranking in its four-step scoring system. The 13 updates will tie the record from October 2009, when Microsoft issued the same number of bulletins, but fixed a total of 34 vulnerabilities . According to Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC) , next week's updates will patch 26 flaws.

"A lot? That's an understatement," said Andrew Storms, director of security operations at nCircle Network Security. "But we could have had 14," he added, referring to the emergency Internet Explorer (IE) update Microsoft released two weeks ago. That "out-of-band" update was originally slated to be included in the collection set to ship this month.

Of the eight updates not marked critical, seven were ranked "important," the next-lower rating, while one was pegged "moderate." Eleven of the 13 will affect one or more editions of Windows; the remaining pair will affect Office XP and Office 2003 on Windows, and Office 2004 for Mac.

"What's kind of interesting this month is that there are fewer applications updates," said Storms, talking about the 11-to-2 ratio of Windows-to-Office security bulletins. The trend, Storms noted, has been the opposite: Microsoft applications, primarily Office and IE, have been extensively exploited by hackers, who have shied away from Windows itself because attacking applications has been easier.

That's not to say there isn't evidence of long-standing trends in the massive matrix that Microsoft spelled out in today's advance notification . One trend: Newer software is generally more secure than older software.

"We know that the newer operating systems are more secure," said Storms. "They use newer code, and were created with SDL [Security Development Lifecycle]," he added. SDL is Microsoft's term for a programming philosophy that bakes security awareness into all aspects of development. As proof, Storms pointed to Windows Server 2008 R2, the newest version of Microsoft's server software. "It has the least number of bulletins," he said.

Server 2008 R2 will be affected by 5 of the 11 Windows updates. Windows 7 , the newest client operating system, will be impacted by the same percentage, 45%, of the total. The eight-year-old Windows XP, meanwhile, will require 8 of the 11, or 73% of Windows updates, while the even older Windows 2000 will be affected by 9 of the 11, or 82% of the total.

"Every month, there's a new reason to get off the older operating systems, to get off the older applications," said Storms.

Storms was hesitant to delve deeply into the affected software matrix Microsoft published as part of its heads-up. "I'll need a Powerbar to do that," he joked. But the update Microsoft tapped as "Bulletin 1" caught his eye, nonetheless. That update ran counter to the norm, for it was rated critical for Windows XP, important for Vista, then back to critical for Windows 7. Because Vista and Windows 7 share a code base, vulnerabilities that affect them are almost always ranked identically.

"Maybe it's something to do with User Account Control," Storms guessed. User Account Control (UAC), is the term for the prompts users see in Windows Vista and Windows 7 that require approval for tasks that may have security implications, such as installing new software. "The more-in-your-face UAC version in Vista might be more annoying, but it might provide some mitigation that UAC doesn't in Windows 7 for this vulnerability," Storms argued.

Bryant, of the MSRC, confirmed that Microsoft will close only one of the three outstanding security advisories. Microsoft will patch the 17-year-old bug in the kernel of all 32-bit versions of Windows. The vulnerability in the Windows Virtual DOS Machine (VDM) subsystem, a component that runs DOS and 16-bit Windows software, was publicly disclosed Jan. 19 by Google engineer Tavis Ormandy on the Full Disclosure security mailing list.

Two other advisories, including the one involving IE that Microsoft issued just yesterday , will not be patched next week, Bryant said.

"The good thing this month is that there are no mission-critical applications affected, like SQL Server and Exchange," said Storms, looking for a silver lining in the massive update. And he urged IT administrators to do what they could to prepare for next Tuesday. "I'll be asking my team, 'What are we behind on that we can spend the next few days catching up?' and then look at next week's [current] schedule and ask, 'What can we delay?'"

Microsoft will release the 13 updates at approximately 1 p.m. ET on Feb. 9.

Join the PC World newsletter!

Error: Please check your email address.

Tags Server 2008 R2security patchMicrosoft

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?