Microsoft said it will deliver 10 security updates next week to patch serious bugs in Windows, Internet Explorer (IE), Word and Excel.
If the company follows through on its plans — sometimes Microsoft ditches an update at the last minute — this week's Patch Tuesday (June 9) will be the largest since October 2008.
“We're back to a normal load,” said Andrew Storms, director of security operations at nCircle Network Security. “Some may think of it as pretty big, but really, for anyone who's dealt with Patch Tuesday for the last five years, it's what we should be expecting.”
Last month, Microsoft issued just one security update, a 14-patch fix for PowerPoint.
Of the 10 updates Microsoft announced today in its monthly advance notification, six will affect Windows, and one each will patch problems in Internet Explorer (IE), Word, Excel and Microsoft Office. Six of the 10 were marked “critical,” Microsoft's highest threat ranking, while three were judged “moderate” and one as “important.”
The six critical updates will patch Windows (which gets two of the updates), IE, Word, Excel and Office.
“The red flag is going to be [the] IE [update].” said Storms. “It's critical, it's on all versions [of Windows], and it's even critical in Vista for IE7 and IE8.”
IE8, which was released in March, is Microsoft's most security-conscious browser yet. Tuesday's update will provide the first-ever production patches for IE8.
Microsoft will also issue patches for the Mac versions of PowerPoint. According to Microsoft, the Mac fixes “will be ready to go Tuesday.” Last month, Microsoft took the unusual step of patching the Windows versions of PowerPoint, but not the Mac editions, saying that it didn't want to postpone the update to await Mac fixes.
Attackers had been exploiting the PowerPoint bug in Windows since at least early April. “[But] none of the exploit samples we have analyzed will reliably exploit the Mac version, so we didn't want to hold the Windows security update while we wait for Mac packages,” Jonathan Ness, an engineer at the Microsoft Security Response Center, explained last month.
Some criticized Microsoft's decision. Swa Frantzen, an analyst at SANS Institute's Internet Storm Center (ISC), said Microsoft was breaking its own rules about “responsible disclosure” by letting the Mac patches slide. “We all know from past experience [that] the reverse engineering of patches back into exploits starts at the time — if not before — the patches are released,” said Frantzen four weeks ago. “So in the end, Microsoft just released what hackers need to attack.”
Other recently-acknowledged bugs may or may not get fixed next week, said Storms. He was pessimistic about Microsoft patching a problem in DirectX that the company confirmed only last week; the bug is actively being exploited by hackers, according to Microsoft. None of the updates' revealed today seemed to fit the affected software profile of the DirectX vulnerability, Storms said.
Microsoft confirmed Storms' suspicions that the company will not patch the DirectX bug. “Our security teams are working hard on a security update that addresses this issue, but we do not yet have an update that has reached the appropriate level of quality for broad distribution,” said Jerry Bryant in an entry to the Microsoft Security Response Center blog.
But another outstanding advisory, which Microsoft reported two weeks ago and which involved its Internet Information Services (IIS) Web-server software, may get patched. “It's not called out as IIS, so it's hard to say if it will be patched, but I could see them putting it under one of the [six] Windows updates,” said Storms. Microsoft has downplayed the IIS bug, which could be used by criminals to steal data from Web servers, because only some configurations are at risk.
Next week's update will be the largest by bulletin count since Microsoft issued 11 on Oct. 14, 2008, but users and IT administrators won't really know the extent of their patching job until the total CVE (Common Vulnerabilities and Exposure) count is revealed Tuesday, Storms argued. Microsoft often bundles multiple patches — each identified by a specific CVE number assigned to the flaw that it fixes — in each update. “The workload will depend on the CVE count out of this,” said Storms. “We may get 60, or we may get 20.”
While the CVE count doesn't affect the testing companies do on Microsoft's security updates, it can affect the amount of work if, as is often the case, an organization is unable to patch immediately and so implements the workarounds that Microsoft recommends. In its update bulletins, Microsoft lists separate workarounds for each CVE; in other words, if an update includes five patches for five CVEs, it could list five different workarounds.
“So it could go either way next week,” said Storms. “But it's going to be an all-eyes forward on the IE update. That's the red flag for June.”
Microsoft will release the 10 security updates at approximately 1 p.m. ET on June 9.