Patch Tuesday to deliver Valentine's bug massacre

gallery

It looks as though the slow start to the Microsoft patching cycle on 2007 is over, with twelve significant security updates due to drop in next Tuesday's monthly patch release.

The January release of the software giant's 'Patch Tuesday' monthly cycle of security updates addressed only three flaws.

But seven of next week's twelve updates in the Microsoft security bulletin issued late yesterday were given its highest, 'critical' rating. The other five are rated 'important'.

Alan Bentley, regional vice president of security firm, Lumension (formerly PatchLink) said the number of patches this month means IT administrators might be working on deployment and testing through Valentine's Day to get systems up-to-date.

"This month's patches are going to require a great deal of man hours for IT administrators, from determining what is affected to the testing and deployment processes," he said.

The bulletin said the critical updates affect Microsoft's Windows operating system, Internet Explorer (IE) and its Office platform: two for Windows and one each for IE, Office, Office Publisher and Microsoft Word each. The last affects IE's JScript scripting languages and VBScript.

Each critical update would patch a vulnerability that could allow hackers to run unauthorised software on an un-patched PC, Microsoft said.

Bentley said: "As so many critical patches affect so many applications, these are widespread enough to have a bigger effect than we've seen in a year and they are going to require the utmost attention and energy. In addition, so many remote code execution flaws that don't require end-user interaction are hugely critical because of the danger of malware and rootkits."

He also said that, because users are so used to trusting and opening Office attachments, the fact that there are three critical patches for Office "opens up a huge window for a potential attack, whether general or targeted".

The important updates are for Windows Active Directory, Windows Vista and Microsoft Works, as well as two for its Internet Information Services (IIS) web server software.

"The two important patches for IIS is surprising because this is a very prime target compared to an endpoint and this is definitely not something that you want to be vulnerable. IT administrators should examine these patches closely," added Bentley.

On average, Microsoft released just under six patches per month last year. The bumper crop due next Tuesday is scheduled to drop at 1pm US Eastern time (6pm GMT).

Email to a friend

Print this page