Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.
The number of 14 September updates will be more than double the maximum the company has delivered in any other of this year's odd-numbered months. Microsoft traditionally delivers relatively few patches in those months.
Four of the updates were labeled "critical," Microsoft's highest threat ranking in its four-step scoring system. The remaining five were marked "important," the second-highest rating.
The update tally that Microsoft spelled out in its monthly advance notification to customers is "quite substantial," said Wolfgang Kandek, chief security officer of Qualys, considering that September should be an "off" month for patches.
Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In August, for example, Microsoft delivered a record 14 updates that patched a record-tying 34 vulnerabilities. July's batch, however, contained just four bulletins that fixed five flaws.
By that back-and-forth, Microsoft should have issued a small number of security updates.
"I'm a little bite surprised at the number," said Kandek. "Maybe some of them will be fixes for the DLL issue."
Kandek was referring to a vulnerability in a large number of Windows applications -- some estimates have pegged it as north of 200 -- that was first publicly disclosed three weeks ago by HD Moore, chief security officer at Rapid7 and the creator of the open-source Metasploit hacking toolkit. At the time, Moore announced that several dozen Windows programs were flawed because they improperly loaded code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- giving hackers a way to hijack a PC by tricking the application into calling on a malicious DLL.
A week later, Microsoft said it would not be able to patch Windows to stymie attacks, but instead said application developers would have to fix their own products. The company also released a complicated-to-use tool to block possible attacks.
"Some of these could be patches for the DLL issue," said Kandek, pointing to the two updates slated to address vulnerabilities in Microsoft's Office suite.
Researchers have claimed that several Office applications, including PowerPoint 2007 and 2010, and Word 2007, are vulnerable to the bug, which has acquired the name "DLL load hijacking."
By the bare bones details Microsoft includes in its advance warning, "Bulletin 3" could be a patch for Word's DLL problem.
Eight of the nine updates affect one or more versions of Windows; one of those will patch Microsoft's IIS (Internet Information Services) Web server software. Two will impact Office. (Microsoft listed one of the bulletins under both categories.)
"I don't think it's likely that they'll have something [in Windows] on the DLL problem," said Kandek. "I'd like to see it, but it's a tough decision for them because that has the potential of making apps stop working."
Some security experts have speculated that Microsoft could come up with a way to protect Windows users, perhaps by adding a warning that appears when a DLL or executable file is loaded from a Web site or SMB (Server Message Block) share. Their argument rested on the fact that most users will not deploy the blocking tool.
"I don't see too many people going down that route [with the blocking tool]," Kandek said.
Microsoft may take an alternate route to a Windows tweak. Last week, Jerry Bryant, a group manager with the Microsoft Security Response Center, said that the company would offer the blocking tool to companies via Windows Server Update Services (WSUS), Microsoft's most-used business patch management mechanism. He also said Microsoft was thinking about pushing the tool to everyone, including consumers, via Windows Update.
The update mix is strongly slanted towards older versions of Windows, noted Don Leatham, senior director of solutions and strategy at Lumension.
In an e-mail, Leatham pointed out that Windows XP Service Pack 3 (SP3), the only version of the nine-year-old OS that Microsoft still supports, will receive eight updates, three of them critical. Windows Vista, on the other hand, will be affected by just five updates, two of them critical, while Windows 7 will get only three updates, none critical.
"These results show that organizations running Windows 7 are running much more secure environments, and as an added benefit, this Patch Tuesday will practically be a non-event for them," Leatham said. "Organizations stuck on Windows XP need to take a hard look at the cost and risk factors associated with staying on that dated platform."
Microsoft, which typically confirms security advisories it plans to address in an upcoming Patch Tuesday, said nothing about patching the DLL load hijacking issue or closing any other outstanding bugs.
"[We] cannot share the details of the bulletins being released this month," said Bryant in a reply to questions. "The DLL preloading issue is an ongoing investigation. We expect to address affected products through security bulletins and/or defense-in-depth updates."
Microsoft last week said it was looking into new reports of a long-known vulnerability in Internet Explorer (IE). A fix for that is unlikely, as the company always specifies impending IE security updates in its advance notifications.
Microsoft will release the nine updates at approximately 1 p.m. ET on 14 September.