Microsoft plans double-sized Patch Tuesday next week

Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.

Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.

The number of 14 September updates will be more than double the maximum the company has delivered in any other of this year's odd-numbered months. Microsoft traditionally delivers relatively few patches in those months.

Four of the updates were labeled "critical," Microsoft's highest threat ranking in its four-step scoring system. The remaining five were marked "important," the second-highest rating.

The update tally that Microsoft spelled out in its monthly advance notification to customers is "quite substantial," said Wolfgang Kandek, chief security officer of Qualys, considering that September should be an "off" month for patches.

Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In August, for example, Microsoft delivered a record 14 updates that patched a record-tying 34 vulnerabilities. July's batch, however, contained just four bulletins that fixed five flaws.

By that back-and-forth, Microsoft should have issued a small number of security updates.

"I'm a little bite surprised at the number," said Kandek. "Maybe some of them will be fixes for the DLL issue."

Kandek was referring to a vulnerability in a large number of Windows applications -- some estimates have pegged it as north of 200 -- that was first publicly disclosed three weeks ago by HD Moore, chief security officer at Rapid7 and the creator of the open-source Metasploit hacking toolkit. At the time, Moore announced that several dozen Windows programs were flawed because they improperly loaded code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- giving hackers a way to hijack a PC by tricking the application into calling on a malicious DLL.

A week later, Microsoft said it would not be able to patch Windows to stymie attacks, but instead said application developers would have to fix their own products. The company also released a complicated-to-use tool to block possible attacks.

"Some of these could be patches for the DLL issue," said Kandek, pointing to the two updates slated to address vulnerabilities in Microsoft's Office suite.

Researchers have claimed that several Office applications, including PowerPoint 2007 and 2010, and Word 2007, are vulnerable to the bug, which has acquired the name "DLL load hijacking."

By the bare bones details Microsoft includes in its advance warning, "Bulletin 3" could be a patch for Word's DLL problem.

Eight of the nine updates affect one or more versions of Windows; one of those will patch Microsoft's IIS (Internet Information Services) Web server software. Two will impact Office. (Microsoft listed one of the bulletins under both categories.)

"I don't think it's likely that they'll have something [in Windows] on the DLL problem," said Kandek. "I'd like to see it, but it's a tough decision for them because that has the potential of making apps stop working."

Some security experts have speculated that Microsoft could come up with a way to protect Windows users, perhaps by adding a warning that appears when a DLL or executable file is loaded from a Web site or SMB (Server Message Block) share. Their argument rested on the fact that most users will not deploy the blocking tool.

"I don't see too many people going down that route [with the blocking tool]," Kandek said.

Microsoft may take an alternate route to a Windows tweak. Last week, Jerry Bryant, a group manager with the Microsoft Security Response Center, said that the company would offer the blocking tool to companies via Windows Server Update Services (WSUS), Microsoft's most-used business patch management mechanism. He also said Microsoft was thinking about pushing the tool to everyone, including consumers, via Windows Update.

The update mix is strongly slanted towards older versions of Windows, noted Don Leatham, senior director of solutions and strategy at Lumension.

In an e-mail, Leatham pointed out that Windows XP Service Pack 3 (SP3), the only version of the nine-year-old OS that Microsoft still supports, will receive eight updates, three of them critical. Windows Vista, on the other hand, will be affected by just five updates, two of them critical, while Windows 7 will get only three updates, none critical.

"These results show that organizations running Windows 7 are running much more secure environments, and as an added benefit, this Patch Tuesday will practically be a non-event for them," Leatham said. "Organizations stuck on Windows XP need to take a hard look at the cost and risk factors associated with staying on that dated platform."

Microsoft, which typically confirms security advisories it plans to address in an upcoming Patch Tuesday, said nothing about patching the DLL load hijacking issue or closing any other outstanding bugs.

"[We] cannot share the details of the bulletins being released this month," said Bryant in a reply to questions. "The DLL preloading issue is an ongoing investigation. We expect to address affected products through security bulletins and/or defense-in-depth updates."

Microsoft last week said it was looking into new reports of a long-known vulnerability in Internet Explorer (IE). A fix for that is unlikely, as the company always specifies impending IE security updates in its advance notifications.

Microsoft will release the nine updates at approximately 1 p.m. ET on 14 September.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?