Researcher sees Patch Tuesday 'nightmare'

Usual rules may not apply, given volume and complexity of Microsoft security update

Corporate security and network administrators face a "nightmare" task just trying to figure out what to patch and what to let slide after Microsoft issued its biggest-ever batch of updates today, researchers argued.

"This is the biggest number of bulletins," said Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "It's also the biggest number of individual patches."

The bottom line, said Miller: "This is an administrative nightmare, just trying to get a good grasp of what's out there."

Wolfgang Kandek, the chief technology officer at Qualys, agreed. "This is a huge release," said Kandek. "No one will be untouched."

Today's security updates from Microsoft were unprecedented, with 13 separate bulletins that quashed 34 vulnerabilities. Both were records for the company since it began delivering monthly updates six years ago.

Miller and Kandek noted that several of the security bulletins were extraordinarily complex, which will only complicate the chore of deciding what to patch immediately, and what can wait.

"Just focus on MS09-062 ," said Miller, speaking of the bulletin that patched eight different bugs in the GDI+ (Graphics Device Interface) component within Windows. "The sheer number of products listed as affected is immense."

Microsoft acknowledged that the GDI+ patches affected Windows XP, Vista, Server 2003, Server 2008, Internet Explorer (IE), .NET Framework, all supported editions of Office, SQL Server, Visual Studio and Forefront Client Security.

"GDI touches everything," said Kandek. "And it's a complicated component."

"We're talking about an older technology that's been around for awhile," added Miller, referring to the familiarity hackers have with GDI, and thus the increased likelihood that they will be able to craft exploits for the bugs Microsoft revealed today. "The vulnerabilities affect a lot of different file formats, including Office. If you're running anything made by Microsoft, you're probably going to be affected by this one."

Miller saw two choices for Microsoft's customers: Either postpone patching some of the vulnerabilities or separate the updates into batches that can be rolled out in stages. "This month, they will either have to throw out their normal procedures, or extend their patching cycle by taking them in bunches," said Miller.

Andrew Storms, director of security operations at nCircle Network Security, warned administrators not to do the former. "Despite the number of bulletins and the workload, it's going to be important that companies use the same diligence as always," said Storms. "That's what is going to win the game for everyone."

Given the number of updates that need to be applied, it was no surprise that Miller, Kandek and Storms each had their own recommendations on what patches to roll out pronto.

"The IE update is the most important," said Kandek, talking about MS09-054 , which fixes four critical flaws in the popular browser. "That's what people use. And applying the patch immediately should not break anything."

He also put the GDI+ update at the top of his list, as did Miller. "IE and GDI should be patched first, just because of the huge target base," reasoned Miller. "IE is the richest target.... All hackers need is a malicious site to take advantage of the vulnerabilities."

Storms, on the other hand, suggested people deploy MS09-050 and MS09-053 as soon as possible: Those updates fix flaws Microsoft revealed more than a month ago in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol, and in the FTP server included with older editions of the Internet Information Services (IIS) Web server.

"I would put the two items in the public domain at the top of the list," said Storms. "And then MS09-051 and the IE updates, the latter because those kind of client-side bugs get a lot of attention from attackers."

MS09-051 patches a pair of vulnerabilities in Windows Media's codecs that could easily be exploited, said Storms, by hackers via "drive-by" attacks launched from malicious or hijacked legitimate Web sites.

"It's going to be tough for administrators to do their research this month," said Miller. "I can see some people just doing the ones as they see fit."

This month's 13 security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftmicrosoft patchessecurity patch

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?