Microsoft Preps for Ginormous Patch Tuesday

Microsoft on Friday announced that it will issue a record 13 security bulletins on its next scheduled Patch Tuesday, which will arrive Oct. 13.

It rates eight of these as critical and the rest as important.

The bulletins address 34 vulnerabilities across a variety of Microsoft products, ranging from Windows to its Forefront security app to Internet Explorer.

What’s the Buzz?

Ten of the 13 bulletins address flaws that enable remote code execution. Eight of these are ranked critical and the other two important.

Of the remaining bulletins tagged important, one targets a problem that enables spoofing; one elevation of privilege; and the last denial of service.

Systems administrators should install all the patches regardless of whether they are tagged critical or not, warned Randy Abrams, director of technical education at security vendor ESET.

“It’s an error to think you have any significantly higher degree of protection if you don’t patch all known vulnerabilities,” he told TechNewsWorld. “They will probably all be included in exploit packages, and just one unpatched vulnerability becomes as bad as leaving them all unpatched.”

Microsoft will host a webcast to address customer questions about these bulletins on Oct. 14 at 11 a.m. Pacific time. The webcast will be available on demand after that.

What’s Affected

Vulnerabilities in 12 of the bulletins impact the Windows operating system.

The other Microsoft software products to which the Patch Tuesday bulletins will apply are Office, Silverlight, SQL Server, Developer Tools and Forefront.

Forefront is Redmond’s attempt to deliver end-to-end security and manage access to information through an integrated line of protection, access and identity management products.

The problems behind two of the 13 bulletins, which take aim at vulnerabilities in Server Message Block Version 2.0 (SMBv2) and the file transfer protocol (FTP) service in Internet Information Services (IIS), were first discovered a month ago.

SMB is the file-sharing protocol used by default on computers running Microsoft Windows. Version 2.0 runs only on Windows Server 2008 and Windows Vista. The vulnerability in SMBv2 is caused when the SMB implementation does not appropriately parse SMBv2 negotiation requests.

An attacker who successfully exploits this vulnerability can take complete control of the victim’s system. This vulnerability affects all versions of Windows Vista and Windows Server 2008. It also impacts Windows 7 Release Candidate. Microsoft issued Security Advisory 975497 in September as a stopgap measure to deal with this vulnerability.

The FTP service flaw occurs in IIS 5.0 through 7.0 running on various versions of Windows 2000, XP, Windows Server 2003, Vista and Windows Server 2008.

It could allow remote code execution or denial of service (DoS) on systems running FTP Service on IIS 5.0. The flaw allows DoS on the other versions of IIS through 7.0.

Microsoft issued Security Advisory 975191 for this vulnerability in September.

Users may have put the squeeze on Microsoft to resolve these two flaws, Michael Sutton, VP of Security Research at cloud security provider Zscaler, told TechNewsWorld. “It’s not common for Microsoft to comment on the specific issues that will be addressed during a patch cycle, so one can assume that they’ve been under pressure to address these items as quickly as possible,” he explained.

“It’s encouraging to see that these issues will be addressed on Tuesday as they represent a very real threat.”

Phrying up Some Phish

Microsoft acknowledged that the number of bulletins is a new record. “Prior to this release, the most bulletins Microsoft has ever released in a month is 12,” company spokesperson Robert Kremers told TechNewsWorld. However, he declined to discuss the bulletins in detail.

Is the record number of bulletins linked to the FBI’s well-publicized “Operation Phish Phry” in which 100 people were arrested in the United States and Egypt on Wednesday in connection with a phishing ring?

Not necessarily, ESET’s Abrams said. “Microsoft may have been sitting on some vulnerabilities that had not been known to be exploited while they completed a thorough test cycle,” he explained. “There is also a lot more focus by the bad guys investing in finding vulnerabilities.”

Most phishing and spam attacks involve either social engineering or target previously published vulnerabilities that have been left unpatched, according to Zscaler’s Sutton. “Microsoft has made significant strides improving the security of their products,” he said. “While they still face challenges with client-side vulnerabilities, critical server-side vulnerabilities have diminished in recent years.”

Security vendors have their work cut out for them, ESET’s Abrams said. “We are making some progress, but when you start tearing down a mountain, 2,000 truck loads of dirt do not make a visible difference,” he added. “There is most of a mountain of ignorance left to educate.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Security

CRM Buyer Channels