Microsoft plans double-sized Patch Tuesday next week

Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.

Microsoft today said it will issue nine security updates to patch 13 bugs in Windows, Office and its Web server software next week.

The number of 14 September updates will be more than double the maximum the company has delivered in any other of this year's odd-numbered months. Microsoft traditionally delivers relatively few patches in those months.

Four of the updates were labeled "critical," Microsoft's highest threat ranking in its four-step scoring system. The remaining five were marked "important," the second-highest rating.

The update tally that Microsoft spelled out in its monthly advance notification to customers is "quite substantial," said Wolfgang Kandek, chief security officer of Qualys, considering that September should be an "off" month for patches.

Microsoft has been shipping alternating large and small batches of fixes, with the larger-sized updates landing in even-numbered months. In August, for example, Microsoft delivered a record 14 updates that patched a record-tying 34 vulnerabilities. July's batch, however, contained just four bulletins that fixed five flaws.

By that back-and-forth, Microsoft should have issued a small number of security updates.

"I'm a little bite surprised at the number," said Kandek. "Maybe some of them will be fixes for the DLL issue."

Kandek was referring to a vulnerability in a large number of Windows applications -- some estimates have pegged it as north of 200 -- that was first publicly disclosed three weeks ago by HD Moore, chief security officer at Rapid7 and the creator of the open-source Metasploit hacking toolkit. At the time, Moore announced that several dozen Windows programs were flawed because they improperly loaded code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- giving hackers a way to hijack a PC by tricking the application into calling on a malicious DLL.

A week later, Microsoft said it would not be able to patch Windows to stymie attacks, but instead said application developers would have to fix their own products. The company also released a complicated-to-use tool to block possible attacks.

"Some of these could be patches for the DLL issue," said Kandek, pointing to the two updates slated to address vulnerabilities in Microsoft's Office suite.

Researchers have claimed that several Office applications, including PowerPoint 2007 and 2010, and Word 2007, are vulnerable to the bug, which has acquired the name "DLL load hijacking."

By the bare bones details Microsoft includes in its advance warning, "Bulletin 3" could be a patch for Word's DLL problem.

Eight of the nine updates affect one or more versions of Windows; one of those will patch Microsoft's IIS (Internet Information Services) Web server software. Two will impact Office. (Microsoft listed one of the bulletins under both categories.)

"I don't think it's likely that they'll have something [in Windows] on the DLL problem," said Kandek. "I'd like to see it, but it's a tough decision for them because that has the potential of making apps stop working."

Some security experts have speculated that Microsoft could come up with a way to protect Windows users, perhaps by adding a warning that appears when a DLL or executable file is loaded from a Web site or SMB (Server Message Block) share. Their argument rested on the fact that most users will not deploy the blocking tool.

"I don't see too many people going down that route [with the blocking tool]," Kandek said.

Microsoft may take an alternate route to a Windows tweak. Last week, Jerry Bryant, a group manager with the Microsoft Security Response Center, said that the company would offer the blocking tool to companies via Windows Server Update Services (WSUS), Microsoft's most-used business patch management mechanism. He also said Microsoft was thinking about pushing the tool to everyone, including consumers, via Windows Update.

The update mix is strongly slanted towards older versions of Windows, noted Don Leatham, senior director of solutions and strategy at Lumension.

In an e-mail, Leatham pointed out that Windows XP Service Pack 3 (SP3), the only version of the nine-year-old OS that Microsoft still supports, will receive eight updates, three of them critical. Windows Vista, on the other hand, will be affected by just five updates, two of them critical, while Windows 7 will get only three updates, none critical.

"These results show that organizations running Windows 7 are running much more secure environments, and as an added benefit, this Patch Tuesday will practically be a non-event for them," Leatham said. "Organizations stuck on Windows XP need to take a hard look at the cost and risk factors associated with staying on that dated platform."

Microsoft, which typically confirms security advisories it plans to address in an upcoming Patch Tuesday, said nothing about patching the DLL load hijacking issue or closing any other outstanding bugs.

"[We] cannot share the details of the bulletins being released this month," said Bryant in a reply to questions. "The DLL preloading issue is an ongoing investigation. We expect to address affected products through security bulletins and/or defense-in-depth updates."

Microsoft last week said it was looking into new reports of a long-known vulnerability in Internet Explorer (IE). A fix for that is unlikely, as the company always specifies impending IE security updates in its advance notifications.

Microsoft will release the nine updates at approximately 1 p.m. ET on 14 September.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?