Microsoft Patch Tuesday Update Sets Record6:47 PM EST Fri. Oct. 09, 2009
Microsoft's upcoming Patch Tuesday update will set a record as the largest yet, with 13 patches that fix a total of 34 vulnerabilities -- including two zero-day flaws.
Microsoft gave eight of the 13 patches the highest severity ranking of critical, indicating that they repair errors that allow hackers to launch malicious attacks remotely, typically to steal information.
Thus far, Microsoft's patch record has been 12 in one month, which it reached both in February 2007 and October 2008.
The October patch covers both critical flaws and flaws given the slightly less severe ranking of "important" in Windows, Internet Explorer, Microsoft Office SQL Server, Microsoft Forefront, Silverlight and Developer Tools.
In addition, two of the Microsoft patches cover zero-day vulnerabilities in the Server Message Block service implementation -- the network file sharing protocol -- as well as another actively exploited flaw occurring in the FTP service.
The SMB vulnerability, which affects Windows 7, Vista, XP, Server 2003 and Server 2008, occurs in the way that version 2 of the protocol parses SMB requests.
The Patch Tuesday security update also covers a critical FTP vulnerability, which Microsoft said had been previously exploited in "limited attacks." The zero-day vulnerability occurs in the FTP service in numerous versions of Microsoft Internet Information Services. Attackers who exploit the flaw could execute malicious code on IIS version 5.0 or launch denial of service attacks on systems running the FTP service on IIS version 5.0, 5.1, 6.0 and 7.0.
Microsoft will address both the SMB and FTP vulnerabilities with patches a little more than a month after they were first disclosed in September, and security experts say the company is in general becoming more responsive to zero-day flaws as it further invests resources into its security offerings such as Forefront and the new free antimalware scanner Microsoft Security Essentials.
"They take it a lot more seriously and have been a lot more responsive to the community," said Chester Wisniewsky, senior security adviser for Sophos. "I think they realize their security reputation is very important."
Meanwhile, Wisniewsky said that Microsoft has typically dealt with unusually large patches in the fall after serious security vulnerabilities are revealed at summer hacker conferences such as BlackHat and DefCon.
"It's unclear, but if you read the tea leaves a little bit, [the heavy patch load] implies it could be a response to some of those things that were disclosed but haven't been patched yet."