Mammoth. That’s the word that most accurately describes what Microsoft has in store for this Patch Tuesday. Microsoft revealed that we can expect 17 security bulletins for the April Patch Tuesday, so pour yourself some espresso and pick up a 12-pack of Mountain Dew–it could be a long day.
The 17 Microsoft security bulletins address a total of 64 separate vulnerabilities–a new record for Microsoft. But–just keeping things in perspective–Apple just patched 40 vulnerabilities in Mac OS X, and another 60 or so in the Safari Web browser just a few weeks ago.
Besides, as Andrew Storms, Director of Security Operations for nCircle, points out, “That seems like a huge number of bugs but it’s actually about what we expected. Ever since the middle of last year Microsoft’s bulletin releases generally hit double digits every other month.”
There are nine security bulletins rated as Critical, while the remainder are considered Important. The patches and updates span all versions of Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, and the .NET Framework.
Storms notes that one of the updates will patch the MHTML bug that was disclosed back in January. “This bug garnered a fair amount of attention and Microsoft released a fixit tool to thwart attacks. I’m relieved this bug has finally been fixed, the longer it’s out there the more time attackers have to find other ways to exploit it.”
Paul Henry, Forensic & Security Analyst at Lumension, explains, though, that the Microsoft flaws and vulnerabilities are not the primary focus for malware developers, and that other software vendors need to improve vulnerability disclosure and patching processes to keep up. “Case in point–the recent revelation by RSA that the exploit of their tokens all began with an Adobe Flash Module embedded within a Microsoft excel spreadsheet. Time and time again, we’re finding that spear phishing exploits are taking advantage of the weaknesses in third party applications.”
For next week’s massive Patch Tuesday, consumers and small business users with Automatic Updates enabled don’t actually need to do anything. If your Windows system is configured to automatically download and install updates from Microsoft sometime in the night while you’re sleeping, it doesn’t really matter if there are seven security bulletins, or 17, or 70. Either way you wake up to a freshly patched PC that has probably been rebooted.
For larger organizations where more analysis and testing are required before unleashing a patch on the general user population, it’s a different story. Amol Sarwate, Manager, Vulnerability Research Lab, for Qualys, says IT admins should get ready for next week’s avalanche. “This is a huge update and system administrators should plan for deployment as all windows systems including Server 2008 and Windows 7 are affected by critical bulletins. Frequently used office applications like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also affected.”