Microsoft to offer five critical patches on Tuesday
by Steve Ragan - Sep 3 2009, 21:26Microsoft has issued the advanced notification for this month’s Patch Tuesday, reporting that there will be five updates, all of them critical and all of them aimed at the Windows OS itself. Missing from the advance notification is mention of a patch for the recently disclosed IIS vulnerability.
Don Leatham, senior director of solutions and strategy for Lumension, told The Tech Herald in an email that two of the updates this month will cause some level of disruption, as they will require restarts on the systems they are installed on.
Aside from the news that Microsoft will offer five critical updates this month, another notable issue is the fact that Windows Server 2000, 2003, and 2008 are included in the list of core Microsoft operating platforms that will need updating. Leatham noted that this will mean that both server and desktop IT groups will have something to do next Tuesday.
The big desktop related speculation will come from Windows Vista, which is affected by four of the five critical updates.
“This brings up an interesting situation as Windows 7 and Windows 2008 R2 were released to manufacturing (RTM) early last month, which means many Microsoft Partners and corporate customers will have started using/evaluating these two new platforms,” Leatham noted.
“Given the significant amount of code shared between Vista and Windows 7, it is likely that some of these security bulletins could apply to Windows 7 or Server 2008 R2, but this is not addressed in the information released today by Microsoft today. Partners and customers with access to the RTM builds will want to carefully track the bulletins in the future to see if they are updated to apply to Windows 7 and Windows 2008 R2.”
There is no word in this month’s advanced notice about the IIS flaw, which Microsoft is aware of and currently investigating. Earlier this week, Microsoft said they are continuing to examine the vulnerability in IIS disclosed on Monday, after proof-of-concept code was published online.
As previously reported, the vulnerability affects IIS (Internet Information Services) versions 5, 5.1, and 6.0. Specifically, the vulnerable part of IIS is the FTP service. If exploited, the flaw could allow remote code execution on affected systems running the FTP service and connected to the Internet.
The FTP service is not installed by default on all supported editions of Windows XP or Windows Server 2003. However, it is installed by default on all supported editions of Microsoft Windows 2000 and all supported editions of Windows Small Business Server 2003.
While it is apparent that there are no plans for a patch this month, many are hopeful one will arrive, as extended support for IIS 5.0 ends in 2010. According to Netcraft, Microsoft’s IIS was used on 49,579,507 servers in August. This total gives IIS a 22-percent share online, second only to Apache, which covers 46-percent of the server market.
The five critical updates are set for release on September 8, at 10:00 a.m. PDT.
The advanced notification is here.
Comment on this Story