Microsoft slates 12 patches for next week

February 7, 2008 (Computerworld) Microsoft Corp. announced today that it will release a dozen security updates next week, matching the patch record set a year ago. Seven of the 12 will be tagged with the company's highest threat ranking.

"There's not a Windows shop anywhere in the world that won't need to deploy at least one of these patches," said Andrew Storms, director of security operations at nCircle Network Security Inc. And most everyone will be taking all 12."

The tally matches the most delivered in any month during 2007 -- that was February as well -- and greatly outnumbers the two Microsoft handed over last month.

Storms made the case that both the width and depth of the updates means that virtually all parts of the Windows ecosystem will need attention next Tuesday. "Not only are these across the board, but they're deep and wide, too," he said. "It's applications as well as operating systems, on the client side and on the server side."

Among the dozen updates listed in the prepatch notification posted to the Microsoft Web site this morning, are three slated for Microsoft Office, three for Windows, two for Internet Information Server (IIS), and one each for Internet Explorer, Microsoft Works, VBScript and JScript, and Active Directory.

Nor will the patches be limited to Windows, according to Microsoft. Several of the bulletins spell out fixes to Office 2004 for Mac.

But it's the sheer number of updates that struck Storms. "Quite a few people are going to be working overtime next week, starting Tuesday," he said, referring to IT staffers responsible for testing and deploying security updates.

Some past vulnerability trends also look like they're continuing, he added, pointing to the three Office updates. Each pegged an application in the Office 2000 edition with a "critical" vulnerability, but labeled the same bug only "important" in Office XP and Office 2003. The same applications in Office 2007 on Windows and Office for Mac 2008 were missing from the list, indicating that they posed no risk.

"This is following the trend we've been watching for some time," Storms said. "The newer applications are more secure, as they should be, since Microsoft has done more [security-related] work on the newer apps."

He speculated that the Office and Works flaws would turn out to be file-format parsing issues -- a good bet, since the bulk of vulnerabilities uncovered in the past two years in those suites have been related to file-format problems -- and that one of the three Windows fixes may be related to the IP stack.

"In that bulletin, it's listed 'critical' on the client but only 'moderate' on Server 2003," Storms said. "That tells me there's something in the code base that's different [between the client and server versions of Windows]. It might be something to do with the IP stack, maybe another ICMP or IGMP vulnerability."