Microsoft has rolled out its biggest patch update in a year, with 11 security updates fixing 17 vulnerabilities in Windows, Office, Internet Explorer, Internet Information Server (IIS) and several other components and technologies.
It was the most patch bulletins Microsoft's has issued since February 2007, even though it pulled one expected update - scheduled last week to fix problems in VBScript and JScript - at the last minute. Five of the 11 were ranked 'critical', Microsoft's highest rating in its four-step threat-scoring system. The others were labelled 'important', the second-highest rating.
The sheer volume of flaws and fixes - added to the already large number of updates cranked out over the past two weeks by other vendors, including Apple and Adobe - is what struck Andrew Storms, director of security operations at nCircle.
"The volume of the last week is something no security team can staff for," said Storms, referring to a wave of vulnerability disclosures and patches by developers of some of the web's most popular applications, including Adobe Reader, Apple's QuickTime and Skype's VoIP client. All have been plagued with, and patched, one or more bugs in the past week.
"It's almost the worst-case possible," Storms said. "There's so much firefighting going on that it comes down to deciding what risks are the most prevalent, and what can be mitigated without patching or fixing so that people can get to some of the hotter topics."
Storms recommended that organisations first tackle the three Office-related bulletins in Tuesday's Microsoft release before jumping back to the Reader update from last week to ensure that all copies of that popular PDF viewer have been patched. One of the Reader bugs has been exploited for at least several weeks.
MS08-009, MS08-012 and MS08-013 patched flaws in Microsoft Word, in Microsoft Publisher and in Office overall, respectively. Another bulletin, MS08-011, fixed a vulnerability in Microsoft Works, the company's lowest-priced, entry-level suite. Because MS08-011 plugs a hole in Works' file converter, however, it also puts users of Office 2003, including the most recent service pack, SP3, at risk.
Other bulletins addressed problems in IE, Active Directory, Windows Vista's implementation of TCP/IP, IIS, Windows' WebDAV technology and Windows' use of OLE automation.
"It's interesting that we're still seeing the client side's [vulnerabilities] as more critical than the server side," noted Storms, when asked to pass judgement on the patch day as a whole. "That's a complete flip from five years ago. Take MS08-003 as an example. It's in Active Directory, which is at the core of the enterprise. But it's only labelled 'important' because you need valid log-in credentials to exploit it."
Storms also pointed to the two IIS-related bulletins as examples of old-school problems that affect servers but pose less of a threat. He contrasted those with the numerous client vulnerabilities in Windows or Microsoft's applications, such as Office, Works and Internet Explorer, all of which were judged "critical" by the company.
Don Leatham, director of solutions and strategy at Lumension Security, noted the same long-standing trend. "The attack surface is moving up the stack into the application and away from the operating system," said Leatham.
To emphasise his point, Leatham's first-to-fix vulnerabilities today were - like Storms' - in an application. "Two stand out: MS08-010 and MS08-007," he said. "The first affects [Internet Explorer] across the board, IE6 and IE7 both, and it looks like there's no mitigating factors for one."