Microsoft prepares massive patch push for October

by Steve Ragan - Oct 9 2009, 22:25

On Tuesday, Microsoft will publish thirteen security bulletins, eight critical and five important, that will address thirty-four vulnerabilities. Historically, this month’s releases will earn the title of the largest Microsoft patch release since the program started in 2003.

Sheldon Malm, senior director of security strategy at Rapid7, offered us some thoughts on this month’s releases.

“Some instances of Office and other applications are affected, but overall, this is a heavily-focused Windows patch month. It’s also interesting that SQL Server is now in the mix. As we’ve now seen repeatedly, there is another issue only affecting Vista and 2008, as Microsoft, like everyone else, is still prone to coding errors. However 2008 R2 and Windows7 are not affected,” Malm said.

“Bulletin 13 is pretty pervasive,” Malm observed, commenting that it would be easier to list the technologies that it doesn’t affect. All Windows versions, except Windows7 and Server 2008 R2, are impacted by the remote code execution vulnerability addressed by Bulliten 13. In addition, SQL Server, Forefront, and Office are also impacted.

Adding to Malm’s thoughts, Paul Zimski, VP of market strategy for Lumension, also noted the number of issues in Bulletin 13, adding, “Before deploying this patch into production environments, however, it will be important to test it vigorously to ensure services are not impacted by unexpected results.”

“On Tuesday, organizations should also pay close attention to the details listed in Bulletins 7 and 9, two “important” vulnerabilities, to determine how critical they are within their business environments,” Zimski said.

“Vulnerabilities involving “spoofing” and “elevation of privilege” should raise an alarm for IT administrators as they can potentially have a big impact on their ability to verify trusted destinations and control user privileges within their organizations – two conceptual things that IT never wants to lose control over.”

The good news for Tuesday is that two previously unpatched issues will finally get their fix. Microsoft said that they will be issuing a fix for SMB and IIS. Aside from Bulletin 13, nine of the remaining bulletins deal with remote code execution, seven of them critical.

More information on Tuesday’s patches can be found here. This is also the same spot to check on Tuesday to view the final details of October’s releases.

Around the Web