The Patch Tuesday bulletins, which cover Microsoft Windows, Office, Internet Explorer, SharePoint, and Exchange, are likely to keep IT administrators working hard until Christmas Eve.
Commented Paul Henry, security and forensic analyst for Lumension, “It is not enough that IT administrators are addressing the current denial-of-service attacks surrounding WikiLeaks where anyone could very quickly become a target, but now organizations also have to address this mid-sized disruptive Patch Tuesday from Microsoft…the additional patching work from this bulletin has organizations ending 2010 with a scramble.”
Wolfgang Kandek, chief technology officer at Qualys, shares Henry’s concern about the impact on administrators. Patch Tuesday will “present a challenge to all Windows system administrators, especially with the holidays shortening the available working hours”, he said.
Of the 17 bulletins, two are rated ‘critical’, 14 are rated ‘important’, and one is rated ‘moderate’. All of them may or will require a restart.
Microsoft said it has issued a total of 106 bulletins over the year, which is up from 2009. Mike Reavey, director of the Microsoft Security Research Center, explained the increase this way:
“Vulnerability research methodologies...change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.”
Reavey said that Microsoft would be closing the last Stuxnet-related issues this month. “This is a local Elevation of Privilege vulnerability and we’ve seen no evidence of its use in active exploits aside from the Stuxnet malware”, he said.
Microsoft is also addressing the IE zero-day vulnerability (Security Advisory 2458511) that allows an attacker to perform a remote code execution. Microsoft was criticized by a number of security analysts for not patching the vulnerability in the November Patch Tuesday release.
“Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low. Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention”, Reavey said. He noted that there is a recent Microsoft blog about the effectiveness of DEP and Address Space Layout Randomization (ASLR) against the IE exploits seen in the wild.