Microsoft: Big Patch Tuesday for IT Administrators


Microsoft issued one of its largest collections of security fixes ever on Tuesday, releasing a total of 14 patches that secure 34 vulnerabilities, most primarily in Windows, but also a couple in the Office productivity applications.

The release, which was part of Microsoft's (NASDAQ: MSFT) Patch Tuesday event for August, includes eight "critical" patches and six "important" patches, according to a Microsoft statement. Each patch can, and often does, include fixes for multiple security flaws.

In Microsoft parlance, "critical" is the highest tier and most dangerous in the company's four-tier threat rating system, while "important" is the second-most hazardous.

Tuesday's patch release is bound to keep PC help desk personnel and PC administrators busy patching and testing all week, if not longer.

"IT admins should first tackle the updates that represent the biggest attack potential: end-users and Internet browsing are at the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of '1,' indicating that working exploits are expected within 30 days," bug sleuth Qualys CTO Wolfgang Kandek told in an e-mail.

Microsoft sent out an advance notification last Thursday warning staff with responsibilities for deploying fixes of the busy week ahead. None of the flaws fixed in Tuesday's patches have been exploited in the wild so far.

First things first

High on the list of holes that Microsoft suggests plugging first is one that can completely compromise systems running Windows XP Service Pack 3 (SP3), XP Professional x64 SP2 and both 32-bit and 64-bit versions of Windows Server 2003 SP2. The Flaw involves how Microsoft's DirectShow MP3 filter processes supported files. All a user would need to do in order to be sideswiped by a "drive-by download" that takes over his or her PC is visit a site that hosts a malicious media file.

Also near the top of Microsoft's suggested priority list is a patch that protects against attack via another media format file handled by the Cinepak Codec, which is included in Windows Media Player. Again, all a user would need to do to become infected is visit a booby-trapped site, or open a specially crafted streaming media file sent via e-mail. The flaw affects all supported versions of the Windows client, from XP SP3 to Vista, and even Windows 7.

Meanwhile, No. 3 on Microsoft's most critical list affects Office Word 2007 SP2 and how it processes Rich Text Format (RTF) emails and files. Opening a malicious RTF email or visiting a site that contains a predatory attack file is all it would take for a hacker to take over a user's PC.

Rounding out the top four patches that Microsoft recommends IT install first is another one that deals with media issues. This one, however, affects Microsoft's "cross-browser, cross-platform implementation of the Microsoft .NET Framework for building media experiences and rich interactive applications for the Web."

Silverlight is Microsoft's challenge to Adobe's Flash technology.

However, the flaws fixed by the patch also affect several other versions of the .NET Framework.

The other four critical patches address six separate flaws in Internet Explorer, two critical holes in Windows' Secure Channel security technology, one critical vulnerability in Windows' XML engine and several that affect XP's support for the Server Message Block (SMB) network protocol.

Finally, Microsoft also released a Security Advisory -- a notice for administrators that the company is examining a possible security vulnerability that impacts what's called the Windows Service Isolation feature. However, Microsoft's advisory said that the feature is not a vulnerability, but a defense-in-depth feature that is only used as an option and, therefore, does not need to be patched.

Despite the urgency of many of the patches, however, security experts advise that implementers plan ahead.

"This many patches can increase network bandwidth, increase the time for the system to run each patch and require reboots. Be sure to take the time and review the bulletin summaries and have a clear plan of a patch attack," Jason Miller, data and security team manager at security firm Shavlik Technologies, told in an e-mail.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.