Microsoft's Patch 'Lite' Tuesday

It may be the calm before the storm, but Microsoft has only three patches on tap

Think of it as a gift from Microsoft: For the first time in several months, Patch Tuesday will be relatively quiet. Microsoft will release just three security updates next week: two for Windows and one for Microsoft Office.

Of the two Windows security bulletins, one is rated "important," according to Microsoft, and some will require restarts to activate the patches. The Office bulletin includes one "critical" update, according to the software giant, and some of those functions will also require restarts.

Microsoft doesn't divulge just what the patches are until the big day, but security experts say it's probably too soon for the Word 2000 bug patch to be included in this round. (See Zero-Day Exploit Targets Word.) "They've got to develop a patch and then do QA across a lot of product lines," says David Maynor, senior researcher for SecureWorks. "Next week's release cycle is very doubtful [for the Word 2000 bug], unless they knew about it before."

Meanwhile, applying the OS patches should be simple, says Eric Schultze, chief security architect for Shavlik Technologies. "It should be a pretty relaxed release with these two patches," he says. "OS patches are typically the simplest of all to install and since the highest severity rating of these is only 'important,' customers might not be in as much of a rush to get these deployed quickly."

The critical Office patch, however, is a different story. That one will need more immediate attention, he says. "Office patches are traditionally more difficult to deploy, as these patches typically require access to the Office CD-ROM that was used to install the product," Schultze says. "Because the installation routing is more complex than for OS patches, it takes longer for organizations to roll out Office patches."

And Windows XP appears to be out of the woods with this round of patches, says Rob Enderle, president of The Enderle Group. "For now, the good news is the patches are light and they don't have the criticality for folks on XP. It looks like the patches mainly focus on Windows 2000," he says.

"It seems that IT can do more [patching] at their leisure" this time around since the patch load is light, Enderle says. "But it's absolutely critical to apply the patches right away."

So why the low volume of patches? Maynor says vulnerabilities in general -- not just Microsoft's -- have been less pervasive ever since August's Black Hat conference. "This is research time for people -- they are applying new tools and techniques instead of reporting more stuff. We're in a building phase."

Shavlik's Schultze says the volume of Microsoft patches is typically cyclical: "September might represent the low point in the wave and at some point, we'll be back to the high part of the wave again."

But in the meantime, savor it. "History has shown that this may only be the lull before the storm," Schultze says. "Enjoy the quiet now, and let's hope it continues."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • SecureWorks Inc.
  • Shavlik Technologies
  • Enderle Group