Microsoft's upcoming Patch Tuesday update will set a record as the largest yet, with 13 patches that fix a total of 34 vulnerabilities -- including two zero-day flaws.
Microsoft gave eight of the 13 patches the highest severity ranking of critical, indicating that they repair errors that allow hackers to launch malicious attacks remotely, typically to steal information.
Thus far, Microsoft's patch record has been 12 in one month, which it reached both in February 2007 and October 2008.
The October patch covers both critical flaws and flaws given the slightly less severe ranking of "important" in Windows, Internet Explorer, Microsoft Office SQL Server, Microsoft Forefront, Silverlight and Developer Tools.
In addition, two of the Microsoft patches cover zero-day vulnerabilities in the Server Message Block service implementation -- the network file sharing protocol -- as well as another actively exploited flaw occurring in the FTP service.
The SMB vulnerability, which affects Windows 7, Vista, XP, Server 2003 and Server 2008, occurs in the way that version 2 of the protocol parses SMB requests.
The Patch Tuesday security update also covers a critical FTP vulnerability, which Microsoft said had been previously exploited in "limited attacks." The zero-day vulnerability occurs in the FTP service in numerous versions of Microsoft Internet Information Services. Attackers who exploit the flaw could execute malicious code on IIS version 5.0 or launch denial of service attacks on systems running the FTP service on IIS version 5.0, 5.1, 6.0 and 7.0.
Microsoft will address both the SMB and FTP vulnerabilities with patches a little more than a month after they were first disclosed in September, and security experts say the company is in general becoming more responsive to zero-day flaws as it further invests resources into its security offerings such as Forefront and the new free antimalware scanner Microsoft Security Essentials.
"They take it a lot more seriously and have been a lot more responsive to the community," said Chester Wisniewsky, senior security adviser for Sophos. "I think they realize their security reputation is very important."
Meanwhile, Wisniewsky said that Microsoft has typically dealt with unusually large patches in the fall after serious security vulnerabilities are revealed at summer hacker conferences such as BlackHat and DefCon.
"It's unclear, but if you read the tea leaves a little bit, [the heavy patch load] implies it could be a response to some of those things that were disclosed but haven't been patched yet."
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
|
10 Security Predictions For 2012 CRN looks into its crystal ball and sees Android, hactivisim and cyber-espionage as some of the top 10 security threats in 2012. |
|
10 Biggest Security Breaches Of 2011 The Top 10 Security Breaches of 2011 show hackers were relentless in their pursuit of profit, compromising computer systems of universities, video-game makers and the largest banks. |
 More
Slide Shows |
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
- Remote Management and IT Security: Building Profits While Reducing Costs
