Microsoft Cooking Up Baker's Dozen of Fixes for Patch Tuesday

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft plans to release nine patches for security holes in a handful of its products when it ships its September security fixes on Tuesday, the company said.

The patches, which can each include numerous fixes, are part of Microsoft's (NASDAQ: MSFT) regular monthly "Patch Tuesday" security release, during which the company issues most of its fixes for security-related holes in its software. On the Thursday prior to Patch Tuesday, Microsoft sends advance notifications to customers as a heads-up to give them some idea of how much time and effort they'll have to plan for installing and testing the coming patches.

"This month we will be releasing nine bulletins addressing 13 vulnerabilities affecting Windows, Internet Information Services (IIS), and Microsoft Office," Carlene Chmaj, security response communications manager, said in a post to the Microsoft Security Response Center (MSRC) blog.

Four of the nine patches are rated as "critical," the highest in Microsoft's four-tier vulnerability severity ranking.

Three of the critical patches fix holes in systems running Windows XP, Windows Server 2003 and Windows Vista. At least two of the critical patches also affect Windows Server 2008, although none of the patches are critical for Windows 7 -- good news for users and IT administrators running the latest version of the OS. A fourth critical patch impacts Outlook 2002 Service Pack 3.

In terms of how much work they are facing, all nine patches will either require, or may require, that each affected PC or server be restarted -- often a time-consuming task.

Little else is known about the vulnerabilities thus far. In its advance notifications, Microsoft typically describes patches only in very general terms so as not to tip off hackers on where to look for exploitable security holes until administrators have had a chance to address them on Patch Tuesday.

However, at least one security expert agreed that security administrators will have a busy time next week.

At the same time, Wolfgang Kandek, CTO of security firm Qualys, also pointed out that it seems likely that Patch Tuesday will include at least some fixes for software affected by a potential threat that surfaced in August stemming from a widespread flaw in what's known as "DLL preloading."

At least a hundred programs from multiple vendors are affected by the problem, experts have warned. For its part, Microsoft has published a Security Advisory and a workaround to help users of its own programs stay safe. Still, those efforts aren't designed to be permanent fixes, it warned at the time.

"I expect some of the bulletins to address DLL hijacking issues in Microsoft's own products," Kandek said in an e-mail to InternetNews.com.

However, Microsoft is saying little about either the upcoming Patch Tuesday release and its efforts to quash the DLL preloading vulnerability.

"We cannot share the details of the bulletins being released this month," Jerry Bryant, group manager for response communications at Microsoft, said in an e-mail. "The DLL preloading issue is an ongoing investigation. We expect to address affected products through security bulletins and/or defense-in-depth updates."

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Follow eSecurityPlanet on Twitter @eSecurityP.