Sheldon here with a quick preview of next week's Microsoft Patch Tuesday updates ...
If you're on the customer side, you have a lot of patching to do starting next week. If you're on the Security Research side, order some extra pizza and chill an extra case of Red **** ... this is going to be a busy one.
13 bulletins coming out on Tuesday - the most ever in February by my count. Last year was lighter than usual ... we usually see 11 or 12 in February. December and January is usually light, so February is a busy clean-up month for Microsoft Security Updates. Last month's out-of-band IE update put February under 14 updates, but it's a February bulletin record and ties last October for the most Patch Tuesday updates.
2 Denial of Service; 2 Elevation of Privilege; and 9 Remote Code Execution.
2 updates for Office; 11 for Windows, with 26 (yes, 26) total vulnerabilities addressed.
Here's a breakdown by affected software:
- Windows 2000: 9 updates ... 5 Critical; 3 Important; and 1 Moderate
- Windows XP: 8 updates ... 5 Critical; 2 Important; and 1 Moderate
- Server 2003: 9 updates ... 4 Critical; 3 Important; 2 Moderate
- Vista: 6 updates ... 3 Critical; and 3 Important
- Server 2008: 8 updates ... 3 Critical; 4 Important; and 1 Low
- Windows 7: 5 updates ... 3 Critical; and 2 Important
- Server 2008 R2: 5 updates ... 3 Critical; 1 Important; and 1 Low
- Office XP: 2 updates ... 2 Important
- Office 2003: 1 update ... 1 Important
- Office 2004 for Mac: 2 updates ... 2 Important
Interesting to note, there are 2 known issues that will not be addressed on Tuesday.
The first one is the IE "Information Disclosure" vulnerability that some have described as "turning your PC into an Internet File Server". Catchy ... wish I'd thought of that description. No word yet if this will result in an out-of-band update or if it will wait until March or later. (Metasploit might have more influence on that decision than internal Microsoft processes -- too early to say at this point). That's advisory 980088.
The second one is the SMB DoS vulnerability that Microsoft discussed in advisory 977544 back in November. They are still working through that update, and as we've noted several times in the past, Microsoft is not known for rushing DoS fixes.
Microsoft *is* patching an issue that is 17 years in the making, however. This one only affects 32 bit Windows versions and the exposure lies in the NT Virtual DOS Machine (NTVDM) subsystem that's been around since the early Windows NT days. For those who aren't aware, VDM allows 32 bit Windows versions to run 16 bit applications and MS-DOS. If you're not running 16 bit apps, this should have no impact on you. If you are still running 16 bit apps, I hope they're not mission critical.
We'll have more information for you when the advisories come out on Tuesday. Until then, get some rest ... if you're reading this, you'll likely need it.