On Your Mark, Get Set... Patch

Microsoft will issue seven security bulletins on its monthly Patch Tuesday tomorrow, at least two of which will be labeled as "critical," Microsoft's highest ranking. There will be four patches for Windows and three for Office.

Fresh patches certainly don't mean the software giant will be resting any time soon. The French Security Incident Response Team (FrSIRT) yesterday found a new Office security hole it labeled as "critical" that lets attackers launch a denial-of-service attack or even take complete control of the system if a user opens an infected Word file. It's unclear whether tomorrow's patches will cover this vulnerability.

The latest patches follow various reports of Excel and Word holes since then, as well as the software giant's dozen last month. (See Microsoft Prepares to Patch Things Up, Unpatched Excel Flaw Surfaces, Attacks Mad, and Windows Flaw, Word Trojan Found.) "We're over our average number of patches just for these two months," says Eric Schultze, chief security architect for Shavlik Technologies. "But this doesn't mean Microsoft is getting worse or setting new records…it's just a timing issue. Microsoft just happened to have all of these things ready to go at the same time."

Although Microsoft gave users a heads up on tomorrow's patches with an advanced notification, the company doesn't provide details, so no one knows for sure what's in store. But it's likely the patches will cover known vulnerabilities that leave Excel and Internet Explorer open to zero-day attacks. And although Microsoft won't likely address the new vulnerability found by FrSIRT directly, the patches could take care of it, says Shavlik's Schultze, who doesn't consider the new hole to be a major problem since it requires a user opening a file for the attack to execute.

"Sometimes Microsoft is fixing one thing that is known, and it causes it to fix other things that are related but not yet published," he says. "So there's a good chance it [the latest vulnerability] could be patched tomorrow."

The latest Office vulnerability lies in a memory access error in the "mso.dll" library, according to the FrSIRT. "If this does what FrSIRT says it does, it could be mighty nasty," says Joe Hernick, director of IT at the Loomis Chaffee School. "Here's a big chance for Microsoft to shine and address this while the iron is hot. But my expectation is there will be yet another patch" later for it.

Jim Czyzewski, senior information systems specialist for MidMichigan Medical Center Midland, a PatchLink customer, says his top priorities tomorrow will be Windows patches. He and his team will meet and evaluate the patches when they arrive and then prioritize them. "We'll stage them based on how we rate them," he says.

Microsoft's latest round of patches won't be earth-shattering, but Microsoft says some will require reboots, a corporate IT manager's worst nightmare, according to Hernick. "And if I was in a corporate environment, these patches would be a pain in the butt because I would have to put them on a Windows server to test them with all the custom macros and application ties first," he says. "But it's not that big of a deal for a small organization. I'm just going to throw them on our server."

But can Microsoft continue playing catch-up with its software vulnerabilities? Richard Stiennon, president of IT-Harvest, says it's time Microsoft revamped IE, without its buggy legacy code. "They just can't chase this continuously," he says. "Ideally, I'd like to see them encapsulate Explorer in a virtual machine or other sandbox that's impervious to these types of attacks."

— Kelly Jackson Higgins, Senior Editor, Dark Reading