Get plenty of sleep this weekend: Another Patch Tuesday is coming up.
Microsoft will pump out 12 security patches on Tuesday, 10 for Windows and two for Office. Some of the patches will be "critical" and will require a restart, according to the software giant, which issued a security bulletin but remains mum on specifics until the big day.
Aside from any new vulnerabilities it may be keeping under wraps, Microsoft is expected to issue fixes for recent PowerPoint exploits, among others. "You have to assume there's something for PowerPoint and Excel," says Paul Henry, vice president for strategic accounts at Secure Computing.
A laundry list of vulnerabilities has surfaced since last month's batch of patches, some or all of which Microsoft could address in this next round of patches:
- A published exploit takes advantage of a flaw in Windows that lets a Server Message Block (SMB) packet wreak havoc on the server driver (srv.sys), eliciting "the blue screen of death." According to Shavlik Technologies' security team, the flaw threatens servers more than clients and an attack doesn't require credentialed access to the system. It can also allow remote-code execution.
- A proof-of-concept exploit shows a flaw in Windows that causes the Routing and Remote Access Service (RRAS) to misbehave and cause a system crash. An attacker would need credentials for Windows XP SP2 and Server 2003 to execute this exploit, which can also allow remote-code execution.
- Proof-of-concept code shows that Windows has a flaw that allows a "specially crafted" image file to crash an application in Office or Internet Explorer when used to open the image or visiting a malicious Web page. Workstations and terminal servers are mainly at risk for this type of attack, according to the Shavlik Technologies team.
- Another proof-of-concept Windows hole can cause a server to "blue screen," according to a Microsoft security blog last month.
Microsoft is still patching the application that's gotten the most exposure -- Internet Explorer -- especially with the completion of the Month of Browser Bugs (MOBB) project. (See Getting Buggy with the MOBB.) "I find that amazing as always with Microsoft," says Secure Computing's Henry. "The browser is one area where Microsoft has lagged behind in deploying patches. That's why spyware has become such a big problem in the industry."
Microsoft would do better if it would hurry up and release IE7, says Aaron Collier, systems engineer for the Washington State Employees Credit Union, which runs 150 Windows 2003 and 2000 servers and hundreds of Windows XP and 2000 desktops. "We're using [the beta version] internally, and it's a thousand times better than IE6."
"I'd like to see as many patches as possible" next week, Collier says. "Microsoft has done a better job at fixing holes. Before, critical updates were few and far between, and you'd get slammed."
The credit union installs its patches on Tuesday and Thursday on a VMWare machine where it tests the patches for three or four days before shooting them live via PatchLink. "We had been snagged years ago by patching whenever there were critical patches, and then breaking back-end tools," Collier says.
So where should you start on Tuesday? "You want to patch right away anything that's 'remotable' and doesn't require user credentials. Those are a big risk," says Mark Shavlik, president and CEO of Shavlik Technologies. "There are people making sample code from these within a few days" of the patch releases, he says.
This may not be so convenient for enterprises, however, notes Dennis Szerszen, vice president of marketing and corporate development for SecureWave. Microsoft's patch schedule basically dictates when enterprises have to patch, he says. "It's good to have a regular schedule for patching. But it's another thing to expect enterprises to pick up and apply patches as priorities."
"It's kind of disruptive for any company to say you need to put these patches on immediately," Szerszen explains. There's a change control process most enterprises have to follow," and once the patches are out, you have no choice but to drop everything and patch, he says.
Collier doesn't expect much change in Patch Tuesdays when Microsoft's more secure Vista and IE7 arrive, because attackers will always find some way to get in. "Coders are coders," he says.
Kelly Jackson Higgins, Senior Editor, Dark Reading