Microsoft To Deliver Massive Security Patch on Tuesday

Microsoft today promised that a hefty December security update will arrive next week.

December's massive patch, scheduled to arrive on Tuesday, will seal 2010 as the year with the most vulnerabilities and security updates since the inception of Microsoft's Patch Tuesday event. The bad news for IT pros comes wrapped up in an advance notification, announced today.

Microsoft plans to release an astounding 17 patches this month. Two of the security bulletins are deemed "critical." Next, there will be 14 "important" patches to contend with, followed by a lone "moderate" patch.

"It is enough that IT administrators are addressing the current denial-of-service attacks surrounding WikiLeaks where anyone could very quickly become a target," said Paul Henry, security and forensic analyst at Lumension. "But now organizations also have to address this mid-sized disruptive Patch Tuesday from Microsoft with 17 bulletins, which all do or may require a restart."

Remote code execution (RCE) attacks top the list of considerations in this month's patch, with 10 security bulletins addressing the risk. Other risks targeted in this patch include denial-of-service attacks and elevation-of-privilege concerns. The main products to be patched include Windows, Microsoft Office, SharePoint, Exchange and Internet Explorer.

Critical Fixes
The first critical security bulletin appears to be a cumulative update for IE, the world's most widely used Web browser. The fix affects most versions, including IE 6, 7 and 8.

A cumulative fix for IE may be sorely needed. Verizon researchers recently said they had discovered "a previously undisclosed vulnerability" in the browser that allows attackers to bypass the Protected Mode in both IE 7 and IE 8. Microsoft also faced a holdover issue from last month that was described in this security advisory.

That's two outstanding issues affecting multiple versions of IE. As the year comes to a close, it looks like Redmond will be patching both of those flaws in this wide-ranging security update.

The second and final critical item will be a Windows patch that touches every supported Windows operating system.

Important and Moderate Fixes
The 15 important security bulletins expected next week describe multiple Windows operating systems, but Microsoft's patch support will only be for OSes it still supports.

SharePoint and Office, particularly Microsoft Publisher, are the other software products that will be affected in the important group of security bulletins. Microsoft plans to provide more details on Tuesday.

Meanwhile, the lone moderate patch will deal with Microsoft Exchange.

All patches may require a restart.

Also, Microsoft will be rolling out nonsecurity updates via its Windows Server Update Services (WSUS), Windows Update and Microsoft Update services. Details about those updates can be found here.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus


  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

  • What's Top-Paying .NET Skill, In-Demand Language?

    New tech reports reveal the top-paying .NET skills and most in-demand programming languages in the Microsoft-centric developer landscape.

Upcoming Events