13 Bug Fixes Coming on Patch Tuesday


Tuesday promises to be a busy day for many IT administrators. That's because Microsoft has 13 patches planned for next week's monthly Patch Tuesday updates.

Five of the patches Microsoft (NASDAQ: MSFT) rates as "critical," according to the company's advance notice sent out Thursday.

"Thirteen bulletins make this the busiest February we’ve seen from Microsoft, with only four last year and an average of 11 to 12 in the three years prior," Sheldon Malm, senior director of security strategy at security researcher Rapid7, said in an e-mail to InternetNews.com.

Microsoft typically releases most of its security patches on the second Tuesday of each month, which earned it the nickname Patch Tuesday. On the Thursday prior to the patch releases, the company provides advance warning to IT administrators so that they can plan for the additional workload installing the patches in their organizations often requires.

That looks to be the case this month.

"IT teams managing servers will definitely need to be on high alert this month and have proactive patching plans in place prior to Tuesday," Don Leatham, senior director of solutions and strategy at security firm Lumension, said in an e-mail to InternetNews.com.

All of the patches rated critical in the latest roundup of updates affect Windows, although not all Windows versions are impacted equally. For instance, only two of the five critical patches are rated critical for Windows 7.

However, all of the currently supported versions of Windows -- from Windows 2000 Service Pack 4 (SP4) through Windows 7 and Windows Server 2008 Release 2 (R2) -- have at least one patch that's critical.

All but two of the remaining eight patches also affect Windows. Those two, which are both rated as "important" -- the second-highest level in Microsoft's four-tier ranking system -- are for vulnerabilities in the Office productivity applications suite.

In fact, seven of February's patches are rated important, while the 13th patch is rated "moderate," which is a step below important patches, and two steps below critical patches.

In its advance notice, Microsoft does not identify actual vulnerabilities it will fix the following Tuesday: It only identifies flaws when it releases patches for them.

However, on Tuesday Microsoft will not fix the zero-day vulnerability exposed Wednesday during a presentation by a well-known hacker at the Black Hat security conference held in the Washington area this week.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.