Microsoft slates another monster Patch Tuesday

It will deliver a record 17 security updates patching 40 vulnerabilities

Microsoft today said it will deliver a record 17 security updates next week to patch 40 vulnerabilities in Windows, Internet Explorer (IE), Office, SharePoint and Exchange.

Among the 40 patches will be two that address a pair of bugs that hackers have already exploited.

"I really was not expecting 17," said Andrew Storms, director of security operations at nCircle Security. "I expected 10 at the most."

The 17 updates -- Microsoft calls them "bulletins" -- are a record, beating the count from October 2010 by one. The bulletins that will ship next Tuesday will include 40 patches, Microsoft said, nine fewer than the record set last October, but six more than the next-largest months of October 2009 and June and August of this year.

The total bulletin count for the year -- 106 -- was also a record, as was the number of vulnerabilities patched in those updates: 266.

Microsoft defended the blistering bug patching pace of 2010.

"This is partly due to vulnerability reports in Microsoft products increasing slightly ... [and to the fact that] Microsoft supports products for up to ten years," said Mike Reavey, the director of the Microsoft Security Response Center (MSRC), in a post to the team's blog today. "Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports."

But it was December's big number that caught Storms' eye.

"The sheer number is quite surprising for December," said Storms. In the past three years, Microsoft has issued no more than nine updates in December, he said. "And while Microsoft doesn't necessarily take its cues from the rest of the world, the fact is many organizations won't patch a lot of these until after the first of the year," Storms continued.

Not only will enterprise IT staffs be short-handed this month -- what with holidays and vacation time -- but they will be unlikely to risk problems that could crop up in patching during such an important time of the year for their business.

"In this case, there might be less risk involved by doing nothing," said Storms. "That's especially true of companies, like those in the financial sector, that have locked down their networks since early November."

Many firms forbid patching the last two months of the year to insure that their hardware continues to operate, said Storms.

Two of the 17 updates were tagged with Microsoft's "critical" label, the highest threat ranking in its four-step scoring system. Another 14 were marked "important," the second-highest rating, while the remaining update was labeled "moderate."

Ten of the updates could be exploited by attackers to remotely inject malicious code into vulnerable PCs, Microsoft said in its usual bare-bones advance notification . Microsoft often labels remote code executable bugs -- the most dangerous -- as important when the vulnerable components are not switched on by default or when other mitigating factors, such as defensive measures like ASLR and DEP, may protect some users.

Among the fixes slated for next week will be one that addresses an already-disclosed vulnerability in all supported versions of IE, said Reavey.

In early November, Microsoft disclosed the zero-day IE bug and confirmed that attacks were already circulating . It was unable to craft and test a patch in time to make it into that month's security update, which appeared six days later.

Next week's IE update is one of the two marked critical, and will affect all versions of the browser with the possible exception of IE9, which is still in preview mode.

Microsoft also intends to patch the last of four Windows vulnerabilities that were used by the notorious Stuxnet worm to infiltrate industrial control systems, said Reavey. As far as Microsoft knows, the bug, which lets attackers elevate access privileges on a compromised PC, has not been exploited by malware other than Stuxnet.

Exploit code for that vulnerability, however, has been available on the Internet for several weeks.

Of the 17 updates, 13 will affect one or more versions of Windows, two will patch Office and Microsoft Works on Windows, and one each will address bugs in the Exchange and SharePoint server software.

Storms was concerned about the Exchange update.

"Anytime it has to do with e-mail, it's concerning," he said, adding that because the server must face the outside world, there may be easily-exploited attack vectors. "SharePoint, on the other hand, is usually very well protected inside the network," he said.

Also of interest, Storms said, was what Microsoft today identified only as "Bulletin 2," an update that affects all versions of Windows, but was tagged as critical for newer editions, including Windows Vista, Windows 7 and Server 2008. The same bulletin was marked as important for the older Windows XP and Server 2003 operating systems.

The Microsoft patch burden this month will be especially tough for administrators to deal with, because of other events, notably the WikiLeaks release of confidential U.S. diplomatic messages, and the resulting retaliatory distributed denial-of-service (DDoS) attacks against firms like Amazon, MasterCard and PayPal.

"It is enough that IT administrators are addressing the current DDoS service attacks surrounding WikiLeaks where anyone could very quickly become a target, but now organizations also have to address this disruptive Patch Tuesday from Microsoft with 17 bulletins," said Paul Henry, a security analyst at Lumension, in an e-mail Thursday.

"There's more than enough to handle at the moment without this Patch Tuesday," added Storms. "There's the ongoing WikiLeaks attacks and then there are always zero-days released around Christmas."

Storms was confident that Microsoft would include workarounds for the most egregious of next week's bugs that will help organizations and users protect themselves if they were unable to apply the security updates.

"That's something that Microsoft is actually been very good at lately," said Storms. "I expect that they'll deliver a decent set of mitigations."

Microsoft will release the 17 updates at approximately 1 p.m. ET on Dec. 14.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?