Establishing Digital Trust: Don't Sacrifice Security for Convenience
Microsoft's "Patch Tuesday" bug fixes were a relatively light load for security professionals to deal with in March but that seems to have been only a momentary lull.
According to Microsoft's (NASDAQ: MSFT) advance notification email to customers on Thursday, next Tuesday, security pros will have 9 "critical" patches to roll out to users, along with another 8 "important" patches.
Most of them may require that patched systems be restarted -- which can add up to be a fairly time-intensive process for security professionals.
That contrasts with March, when Microsoft only had three patches to distribute to customers, and only one of those was ranked critical, the highest threat ranking in the company's four-tiered severity rating scale.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
It's an indication though that Microsoft's days of large numbers of security patches are far from over, according to one security researcher.
"No matter how you look at it, it's ugly. There are 17 bulletins this month and over half of them are critical, [while] all but two provide for remote code execution," Paul Henry, forensic and security analyst at researcher Lumension, said in an email to InternetNews.com.
So much for security professionals' hope that the volume of patches will sink in the new year.
"We're well into a new year and things have not improved. In fact, theyve gotten worse," Henry added.
In fact, according to another security firm, Microsoft is again preparing to release a nearly record-breaking number of bug fixes.
"Microsoft announced today it will release 17 security bulletins on the April 12 Patch Tuesday which will address a total of 64 vulnerabilities," Amol Sarwate, manager of the vulnerability research lab at researcher Qualys, said in an email to InternetNews.com.
The vast majority of patches coming in April provide fixes for holes in various versions of Windows. That extends from Windows XP Service Pack 3 (SP3) and Windows Server 2003, to Windows Server 2008 and Windows Vista, to Windows 7, Microsoft's advance notification email said.
"This is a huge update and system administrators should plan for deployment as all windows systems including Server 2008 and Windows 7 are affected by critical bulletins. Frequently used office applications like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also affected," Sarwate added.
Microsoft releases most of its security patches for its products on the second Tuesday of each month, in order to provide predictability for security professionals' planning purposes. Thus that date -- this month it will be April 12 -- is known as "Patch Tuesday."
The Thursday before Patch Tuesday, Microsoft sends out an advance notification that provides some information on the following week's patches, although it is careful not to provide any actual details of the patches in advance so as not to provide any help to hackers prior to the release of the actual patches.