Patch Tuesday: 16 Fixes from Microsoft
IT administrators will be busy next Tuesday based on an advance notification for this month's security update from Microsoft.
Sixteen fixes are expected; nine of these are "critical" security bulletins and the remaining are categorized as "important" in this month's release. Remote code execution (RCE) considerations are the leading risk being addressed (by 10 of the bulletins). Other fixes focus on elevation of privilege, information disclosure, and denial of service (two bulletins for each).
"It's clear that Microsoft is back to its typical practice of being very disruptive on Patch Tuesday," said Paul Henry, forensic and security analyst at Lumension. "This will be a long hot summer for IT professionals and there is just no room to slow down."
All of the forthcoming critical fixes will attempt to address potential RCE attacks. The first critical bulletin will be a Windows operating system-level patch affecting every supported Windows OS. The second critical bulletin tackles the Microsoft .NET Framework and Microsoft Silverlight on every supported Windows OS as well. Critical bulletin No. 3 brings greater security to Microsoft Forefront Threat Management Gateway 2010, specifically, the client application.
Critical bulletins Nos. 4, 5, and 6 are Windows OS-level patches touching every supported release. Likewise, critical patch No. 7 will be an all-encompassing Windows OS patch centered on .NET architecture on every supported OS in Redmond's repertoire.
The last two critical items (bulletins 8 and 9) will provide comprehensive fixes for Internet Explorer Web browsers. Critical item No. 8 will be a cumulative patch for IE 6, 7 and 8. Critical item No. 9 will be a more granular update for IE 6, 7 and 8 on Windows XP.
The first "important" item in the June patch is an information disclosure fix for all supported Windows OSes.
Next up will be a wide-ranging RCE fix for Microsoft Office. This second important fix will target a flaw in Microsoft Excel. The Microsoft InfoPath forms creation program also will be addressed by this bulletin. The third important item will be a Windows fix addressing all Microsoft-supported iterations.
Important security bulletins Nos. 4 and 5 will be designed to prevent denial-of-service attacks. One will touch Windows Server 2008 only, while the other will affect Windows Vista, Windows 7 and Windows Server 2008.
SQL Server, Visual Studio and InfoPath will be addressed by the sixth important fix. InfoPath 2007 and 2010 are the versions that Microsoft plans to fix. For the SQL part of the fix, security and database administrators should take notice, as the bulletin cuts a wide swath of service packs and versions spanning the SQL Server 2005 and SQL Server 2008 releases.
The last important patch on the slate will be an elevation-of-privilege fix for Windows components, but it will only affect Windows Server 2003 and 2008.
Security experts say that in light of a very heavy rollout, IT and security admins should be checking Microsoft's exploitability index. It will help them see how the security bulletins will affect their critical systems. "All in all, this is a big update," said Wolfgang Kandek, CTO at Qualys. "And system administrators will need to plan closely as both workstations and servers are affected by the critical bulletins. In addition applications such as Excel, Adobe Reader and Java will have to be taken into account this month." Those prospects will likely keep IT pros busy this month, but there's more. All of Microsoft's June security updates may require a system restart.
If any time is left, Microsoft once again invites IT pros to check out changes to the Windows Update and Windows Server Update Services in this Knowledge Base article.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.