Establishing Digital Trust: Don't Sacrifice Security for Convenience
It's the sweltering dog days of summer and a lot of system administrators are out on vacation, but August's Patch Tuesday event is bound to be a hectic one for IT staffs charged with keeping up with Microsoft's monthly security fixes.
Microsoft (NASDAQ: MSFT) plans to release eight "critical" security patches on Tuesday and an additional six "important" patches, the company's security mavens announced on Thursday. In those 14 patches, Microsoft aims to fix a total of 34 security flaws in its products.
The news came in an advance notification that the company sends out to system administrators and PC help desk staffs every month on the Thursday before the second Tuesday of the month. It is meant to provide a heads up so that they can prepare and schedule work time to deploy the actual fixes themselves on what's come to be known as "Patch Tuesday."
"Any last ditch effort to enjoy the end of summer is being put off with another huge Patch Tuesday," Paul Henry, security analyst for vulnerability researcher Lumension, said in an e-mail to InternetNews.com.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Of the 14 pending patches, all but two directly affect Windows and, of the critical patches, several affect all supported versions of Windows. These include XP Service Pack 3 -- the only version of XP still supported -- all the way to Windows 7 and its sibling Windows Server 2008 Release 2 (R2), and everything in between. One of the critical Windows patches also affects Internet Explorer 6, 7 and 8.
Companies that still have versions of XP SP2 or Windows 2000 SP4 in use, however, are out of luck.
Last month, Microsoft retired all support for those two systems, despite the fact that XP SP2 is by far the most deployed version of XP still in use in corporate settings.
"With such a large number of bulletins, Im curious to see how many will be able to be turned into reliable exploits. Several of the Windows OS bulletins will likely lead to drive-by-based attacks," Josh Abraham, researcher for security firm Rapid7, said in an e-mail to InternetNews.com.
Microsoft is also issuing patches that block threats to Microsoft Word 2007 SP2, and one to fix Silverlight 2 and 3 -- Microsoft's streaming media competitor to Adobe Flash.
That said, for some system administrators, August has already started off with a bang.
Earlier this week, Microsoft issued a so-called "out-of-band" patch for a zero-day vulnerability in the way all versions of Windows handle processing of .LNK files used to display icons for shortcuts.
Microsoft might have chosen to hold onto the shortcut files patch for the extra week and release it at the same time as the Patch Tuesday fixes; however, since the hole was already being attacked by hackers and those attacks were escalating, Microsoft's security team chose to release it early, rather than wait and risk further attacks.
The advance notice notwithstanding, Patch Tuesday is when the real work begins.