Microsoft yesterday delivered a record 13 security updates that patched 34 vulnerabilities in every version of Windows, including the not-yet-for-sale Windows 7, as well as in Internet Explorer (IE), Office, SQL Server and other parts of its software portfolio.
The 34 flaws were also a record number for Microsoft, the most holes patched in one sitting since Microsoft switched to a regular monthly update schedule six years ago. The closest competitor was December 2008, when the company tackled 28 bugs.
"To anyone following Apple, this isn't a big surprise," said Andrew Storms, director of security operations at nCircle Network Security, referring to Microsoft's operating system rival, which typically issues security updates that include scores of fixes. "But this is certainly an unprecedented month for Microsoft."
Microsoft ranked 8 of the 13 updates and 21 of the 34 vulnerabilities as 'critical', the top rating in its four-step scoring system. The remainder of the bulletins were judged 'important', the next threat level down, while nine of the flaws were also pegged important, and the final 4 were tagged as 'moderate'.
Among today's patches were several for zero-day vulnerabilities - bugs for which exploit code had already gone public. One of the zero-day vulnerabilities was undisclosed until yesterday.
Microsoft patched three vulnerabilities in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows; two bugs in the FTP server that's included with older editions of its Internet Information Services (IIS) web server; and two in the Windows Media Runtime. The flaws in SMB 2 and IIS had been public knowledge since early September, but the Windows Media vulnerabilities included one that Microsoft said was already in the wild, but had not leaked to the usual public sources, such as security mailing lists.
For that reason, Storms urged everyone to deploy the MS09-051 update, which patches the Windows Media bugs, as soon as possible. "At first glance, [MS09-]051 should be patched immediately," he said. "What's interesting today is that we're learning it's in the wild. More important, it can be exploited in drive-by attack situations, just be getting people to go to a [malicious] website."
Early last month, Microsoft revealed the SMB 2 vulnerability, but although attack code went public, security researchers have not seen any actual attacks. The flaw affects Windows Vista, Windows Server 2008 and preview releases of Windows 7, but not the final edition slated for retail release next week.
The FTP flaw , on the other hand, was disclosed by Microsoft Sept. 1, when the company confirmed that its security team was investigating attack code that hit the street on the last day of August.
Microsoft also fixed a slew of flaws today that go back to a programming error in one of its code libraries, Active Template Library (ATL). The company had acknowledged the error last summer. Yesterday's patches quashed three ATL-related bugs in Office and set 'kill bits' to disable four or more Microsoft-made ActiveX controls for Windows Live Mail, the MSN Photo upload tool, and various Office document viewers used by Internet Explorer (IE) to display spreadsheets, charts and databases on the web.
"And we have the token IE patches today, too," noted Storms, talking about MS09-054, which plugs four holes, all critical, in Microsoft's browser. Included in the four, said Storms, was one apparently accidently disclosed at the Black Hat security conference several months ago.
As part of the record update, Microsoft also patched eight vulnerabilities in GDI+, (Graphics Device Interface), a component that debuted in Windows XP and is a core part of Windows Vista and Windows 7, as well as the server-side operating systems, Windows Server 2003 and Windows Server 2008.
Hackers could exploit the GDI+ bugs by sending specially-crafted image files in a variety of formats - including BMP, PNG, TIFF and WMF - to a user via email, or by convincing users to visit sites that contain malicious image files. By triggering the vulnerabilities, attackers could then follow up with additional malware to hijack a system or steal data.
Storms, however, discounted exploits of the GDI+ vulnerabilities. The audio codec bugs [in MS09-051] will be so much easier to exploit," he reasoned.
"I would put the two items in the public domain, MS09-050 [the SMB 2 flaws] and MS09-053 [the FTP bug in IIS] at the top of the list," said Storms. "And then MS09-051 and the IE updates, the latter because those kind of client-side bugs get a lot of attention from attackers."
This month's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Windows 7, Vista & XP get record number of patches
See more:
Comments
Anonymous said: Yawn Big deal Microsoft have to issue out updates and patches as a simple course of nature Maybe its me but Im failing to see the urgency or importance of this particular article sorry PCA youve just reported a useless bit of information for the sake of itThe question is why RonJust chill mate no need to fly off the handle over something so trivial
Cyteck said: Lets be clear here NOT every computer user running windows is going to receive the same updates or require the same updates Yesterdays patches were designed to address extremely specific vulnerabilities and not all of those applied to windows itself for example IIS amp windows server productsSometimes windows automatic update service doesnt work as smoothly as its ideally designed too and yes you can get problemsYou must have a Automatic updates enabled and b You must also have BITS enabled too back ground intelligent transfer before the update process will workPersonally I have found that manually searching for and manually downloading amp installing specific updates works best for me But Im not a novice so this method is not for most users perhaps but it works perfectly provided you know which patches apply
Dragon said: Yesterday I installed the updates This morning I could not get my PC to boot up Eventually I managed to get into System Restore IE8 which had previously given me problems had installed itself despite me deleting it from the list of updates Back to IE7 and no problems
Ron Graves said: Fisherman said on Thursday 15 October 2009I dont think youve checked your facts RonI read the monster patch garbage That not enough then If not lifes too short
Kippert said: Seems a very convoluted lie if it is one
Ron Graves said: oojimmyflipRubbish Rarely have I read such complete and utter bollocksI have more security apps than you can shake a stick at but MS security updates are still absolutely essentialIf you think theyre not then you need to change your drug of choiceOr to put it another way - youre an idiot
Fisherman said: I dont think youve checked your facts Ron
Ron Graves said: Hate to be picky but I subscribe to MSs update service and I havent seen this at allWant to try again with something less prejudiced Or hey heres a thought - stop lying
The Voice Of Reason said: Well said oojimpflipI also have a similar problem with some faulty locks on my carAlthough the manufacturer have offered to replace them free of charge its far too much hassle Ive got a perfectly good car alarm
Narendra said: Switch to UBUNTU safe easy and beautiful
oojimmyflip said: I have hardly ever bother with Microsofts security fixes they cause more trouble and glitches than leaving updates turnned off Buy some decent internet security software that is tweekable and doesnt slow down your computer and once set up it wont fail you Kaspersky Internet security would be a good start want reliability leave the updats alone
Cyteck said: As usual its extremely easy to be critical of Microsoft and slag Redmond off but on the other hand a they are doing something proactive to patch amp fix these faults and b they DONT cost anything to end users apart from the downloading time amp the installation time If you dont take advantage of these patches amp free fixes then more fool you if you systems is compromised later