Microsoft plans double-sized Patch Tuesday next week

Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.

Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.

The number of 14 September updates will be more than double the maximum the company has delivered in any other of this year's odd-numbered months. Microsoft traditionally delivers relatively few patches in those months.

Four of the updates were labeled "critical," Microsoft's highest threat ranking in its four-step scoring system. The remaining five were marked "important," the second-highest rating.

The update tally that Microsoft spelled out in its monthly advance notification to customers is "quite substantial," said Wolfgang Kandek, chief security officer of Qualys, considering that September should be an "off" month for patches.

Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In August, for example, Microsoft delivered a record 14 updates that patched a record-tying 34 vulnerabilities. July's batch, however, contained just four bulletins that fixed five flaws.

By that back-and-forth, Microsoft should have issued a small number of security updates.

"I'm a little bite surprised at the number," said Kandek. "Maybe some of them will be fixes for the DLL issue."

Kandek was referring to a vulnerability in a large number of Windows applications -- some estimates have pegged it as north of 200 -- that was first publicly disclosed three weeks ago by HD Moore, chief security officer at Rapid7 and the creator of the open-source Metasploit hacking toolkit. At the time, Moore announced that several dozen Windows programs were flawed because they improperly loaded code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- giving hackers a way to hijack a PC by tricking the application into calling on a malicious DLL.

A week later, Microsoft said it would not be able to patch Windows to stymie attacks, but instead said application developers would have to fix their own products. The company also released a complicated-to-use tool to block possible attacks.

"Some of these could be patches for the DLL issue," said Kandek, pointing to the two updates slated to address vulnerabilities in Microsoft's Office suite.

Researchers have claimed that several Office applications, including PowerPoint 2007 and 2010, and Word 2007, are vulnerable to the bug, which has acquired the name "DLL load hijacking."

By the bare bones details Microsoft includes in its advance warning, "Bulletin 3" could be a patch for Word's DLL problem.

Eight of the nine updates affect one or more versions of Windows; one of those will patch Microsoft's IIS (Internet Information Services) Web server software. Two will impact Office. (Microsoft listed one of the bulletins under both categories.)

"I don't think it's likely that they'll have something [in Windows] on the DLL problem," said Kandek. "I'd like to see it, but it's a tough decision for them because that has the potential of making apps stop working."

Some security experts have speculated that Microsoft could come up with a way to protect Windows users, perhaps by adding a warning that appears when a DLL or executable file is loaded from a Web site or SMB (Server Message Block) share. Their argument rested on the fact that most users will not deploy the blocking tool.

"I don't see too many people going down that route [with the blocking tool]," Kandek said.

Microsoft may take an alternate route to a Windows tweak. Last week, Jerry Bryant, a group manager with the Microsoft Security Response Center, said that the company would offer the blocking tool to companies via Windows Server Update Services (WSUS), Microsoft's most-used business patch management mechanism. He also said Microsoft was thinking about pushing the tool to everyone, including consumers, via Windows Update.

The update mix is strongly slanted towards older versions of Windows, noted Don Leatham, senior director of solutions and strategy at Lumension.

In an e-mail, Leatham pointed out that Windows XP Service Pack 3 (SP3), the only version of the nine-year-old OS that Microsoft still supports, will receive eight updates, three of them critical. Windows Vista, on the other hand, will be affected by just five updates, two of them critical, while Windows 7 will get only three updates, none critical.

"These results show that organizations running Windows 7 are running much more secure environments, and as an added benefit, this Patch Tuesday will practically be a non-event for them," Leatham said. "Organizations stuck on Windows XP need to take a hard look at the cost and risk factors associated with staying on that dated platform."

Microsoft, which typically confirms security advisories it plans to address in an upcoming Patch Tuesday, said nothing about patching the DLL load hijacking issue or closing any other outstanding bugs.

"[We] cannot share the details of the bulletins being released this month," said Bryant in a reply to questions. "The DLL preloading issue is an ongoing investigation. We expect to address affected products through security bulletins and/or defense-in-depth updates."

Microsoft last week said it was looking into new reports of a long-known vulnerability in Internet Explorer (IE). A fix for that is unlikely, as the company always specifies impending IE security updates in its advance notifications.

Microsoft will release the nine updates at approximately 1 p.m. ET on 14 September.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?