Yikes, Microsoft to patch 22 bugs next week

Three zero days will be fixed and security experts warn that the massive re-boot could cause some services to freak out.

By Microsoft Subnet on Thu, 02/03/11 - 6:13pm.

There's some good news and bad news about next Tuesday's scheduled monthly patch day. The bad news is that it will be monster big, with restarts required. Microsoft will issue 12 updates that fix 22 holes, including holes in Internet Explorer (IE), Windows, its Internet server and Visio. So what, pray tell, is the good news? Microsoft will be fixing three well-known zero-day bugs, one in IE, one for Windows that fixes the GRE hole and the third for the IIS Web server.

All versions of Windows, including Windows 7 and Windows Server 2008 R2 (but not the Server Core edition) will get multiple critical patches. The day will feature three critical patches (remote code execution) with the remainder rated important. The patches will fix five RCE holes all told, one of which has a downgraded rating of important.

The IE fix is expected to be the one that puts a cork in a bug Microsoft acknowledged on on Dec. 22. This was a bug that let attackers hijack a PC by manipulating IE's HTML engine when the browser processed CSS that included "@import" rules, and it sidestepped Windows 7 security. It affected all supported versions of IE, that's 6, 7, 8, and attack code has been circulating since shortly before Microsoft let users know about the bug.

But perhaps the highlight of the day will be the massive number of Windows machines simultaneously rebooting thanks to the fact that 10 out of the 12 bulletins require a restart and the other two "may" require a restart.

"Last month, we were waiting for the IE patch that never came and this month we get to celebrate the national day of love by all of us simultaneously rebooting our PC's," quips Paul Henry, security analyst for patch-management vendor Lumension. "As we know from experience, reboots of this magnitude have been known to upset services and applications so it’s possible we will see similar problems to what we encountered in 2007 when a large Microsoft Patch that required a reboot crippled applications, Skype in particular."

So enterprises, please consider yourself warned. Valentine's Day Patch Tuesday could make for a "lovely" morning.

Tags

What is Tech Briefcase?

TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more

Bookmark content

Speed up your research efforts with content across the web.

Search and Store

Find the white papers you need. Create folders for any topic.

View Anywhere

Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.

Don't have an account yet?

About The Microsoft Update

Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at jbort@nww.com, 970-482-6454 or follow Julie on Twitter @Julie188.

The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.

Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited