Microsoft: A Light Patch Tuesday Coming Up

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Some systems managers may get a little gift before the holidays start this year.

Microsoft (NASDAQ: MSFT) will deliver only three security patches next week for its regular Patch Tuesday bug fix drop -- and only one of them qualifies as "critical" -- the highest severity in the company's four-tier security ranking scale.

It will likely come as welcome relief for managers, given that several recent Patch Tuesday bug fix releases have been among the largest in the company's history. For instance, last month Microsoft patched 49 separate security vulnerabilities with a total of 16 patches -- which Microsoft refers to as Security Bulletins.

That stands in stark comparison with November's bulletins. However, that one bulletin is rated as critical for Office 2010, which just shipped in May, as well as Office 2007. The fix is only rated as "important" -- one step down from critical -- for Office XP Service Pack 3 (SP3) and Office 2003 SP3.

The Thursday before Patch Tuesday, Microsoft releases an Advance Notice to warn systems managers how much time and labor to allocate to handle the month's patch installations.

Besides the critical bulletin, the other two security patches being released Tuesday are rated as important. One affects PowerPoint 2002 and 2003, while the other impacts Microsoft Forefront Unified Access Gateway.

Meanwhile, Microsoft also announced it is working to patch a zero-day bug found in Internet Explorer that could lead to compromise of users' systems. However, Microsoft said in its Security Advisory that it has only seen limited attacks "in the wild," and those were confined to IE6 and IE7 running on Windows XP.

Microsoft also said that the only infected website that's been found has already been taken down.

IE8's Data Execution Prevention (DEP) feature blocks attacks on most systems running that version of IE in its default configuration, and IE9, which is currently in beta test, is immune. Administrators can enable DEP on the earlier versions.

"We anticipate exploit writers having a difficult time bypassing DEP," a post to the Microsoft Security Response Center (MSRC) blog said.

While it works to get the promised patch out, Microsoft has already described workarounds. Given that Microsoft issued its Security Advisory Wednesday, though, it's unlikely a patch will be ready for release on next week's Patch Tuesday -- so-called because the company releases the vast majority of its security fixes on the second Tuesday of each month.

The company said it would not issue an out-of-band patch for the problem. However, it has already published a "Fix-It" -- an automated installation of the workarounds online.

A leading representative of the hacker community, HD Moore, chief security officer at research group Rapid7 and chief architect at Metasploit, agreed that the hole may not be worth hackers' time to try to exploit.

"Exploiting this flaw is likely to be difficult on all versions of IE, but the presence on DEP will make it even more challenging with IE8. I doubt we will see a reliable exploit targeting IE8 for this vulnerability," Moore said in an e-mail to InternetNews.com.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up to date with the latest Microsoft security news; follow eSecurityPlanet on Twitter @eSecurityP.