Yikes, Microsoft to patch 22 bugs next week

Three zero days will be fixed and security experts warn that the massive re-boot could cause some services to freak out.

There's some good news and bad news about next Tuesday's scheduled monthly patch day. The bad news is that it will be monster big, with restarts required. Microsoft will issue 12 updates that fix 22 holes, including holes in Internet Explorer (IE), Windows, its Internet server and Visio. So what, pray tell, is the good news? Microsoft will be fixing three well-known zero-day bugs, one in IE, one for Windows that fixes the GRE hole and the third for the IIS Web server.

All versions of Windows, including Windows 7 and Windows Server 2008 R2 (but not the Server Core edition) will get multiple critical patches. The day will feature three critical patches (remote code execution) with the remainder rated important. The patches will fix five RCE holes all told, one of which has a downgraded rating of important.

The IE fix is expected to be the one that puts a cork in a bug Microsoft acknowledged on on Dec. 22. This was a bug that let attackers hijack a PC by manipulating IE's HTML engine when the browser processed CSS that included "@import" rules, and it sidestepped Windows 7 security. It affected all supported versions of IE, that's 6, 7, 8, and attack code has been circulating since shortly before Microsoft let users know about the bug.

But perhaps the highlight of the day will be the massive number of Windows machines simultaneously rebooting thanks to the fact that 10 out of the 12 bulletins require a restart and the other two "may" require a restart.

"Last month, we were waiting for the IE patch that never came and this month we get to celebrate the national day of love by all of us simultaneously rebooting our PC's," quips Paul Henry, security analyst for patch-management vendor Lumension. "As we know from experience, reboots of this magnitude have been known to upset services and applications so it’s possible we will see similar problems to what we encountered in 2007 when a large Microsoft Patch that required a reboot crippled applications, Skype in particular."

So enterprises, please consider yourself warned. Valentine's Day Patch Tuesday could make for a "lovely" morning.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)