Batten Down the Hatches for Microsoft and Adobe Patches
Next Tuesday is both Microsoft's Patch Tuesday for April, and Adobe's quarterly patch release. Combined, there are a total of 27 vulnerabilities being patched in Microsoft Windows, Microsoft Office, Adobe Acrobat, and the Acrobat Reader application. It will be a busy day for IT administrators and information security professionals to analyze and prioritize the deluge of updates.
It seems a little odd to have a Patch Tuesday so far into the month, but when the first of the month falls on a Thursday it takes longer to get to the second Tuesday of the month. Things also seem a little out of whack in terms of timing due to the out-of-band update Microsoft issued for Internet Explorer on March 30.
Nevertheless, Patch Tuesday is coming. Amol Sarwate, manager of Qualys' Vulnerability Research Lab, e-mailed to provide some expert insight on what Microsoft has in store. "There are 11 security bulletins that affect a range of Windows operating system components as well as Microsoft Office and Microsoft Exchange. This is a fairly large update and will keep system administrators busy on Patch Tuesday."
Sarwate explained "Out of the 11 security bulletins, five are rated Critical and affect components in Windows 2000, XP, Vista, 2003, 2008 and Windows 7. If left un-patched, an attacker could execute code or programs on the victim's machine and therefore all are categorized as remote code execution."
In addition to the five Critical security bulletins, Microsoft has five Important, and one Moderate security bulletin planned for issues affecting Microsoft Office, Microsoft Exchange, and components of Windows. The patches for almost all of the security bulletins will require that the system be rebooted to complete the process.
While Windows 7 is affected, it is worth nothing that Windows 7 has fewer vulnerabilities rated as Critical. Month after month Windows 7 demonstrates why it's time to drop the decade old Windows XP and make the switch to the current flagship desktop OS.
As if 11 security bulletins from Microsoft isn't enough for one day (or week...or month), IT administrators will also have to deal with the quarterly security update from Adobe. The Adobe update is also rated as Critical and will address flaws in Adobe Acrobat 9.3, and the fairly ubiquitous Acrobat Reader.
Realizing that it is in the crosshairs of malware developers, Adobe is also taking a proactive step to simplify the updating process for users. Adobe will be distributing an automatic updater utility it has been beta testing the past couple of months. The updater utility will silently patch Adobe products in the background without any user intervention required--ostensibly ensuring patches are applied on more systems as soon as possible.
Adobe has been quite successful at weaving itself into the culture of both the Web and business computing, which is the primary reason it has a bullseye on its back. It isn't practical to avoid Adobe altogether, and I am not suggesting that as a viable option, but there are many alternative utilities out there for working with PDF files, such as the Nuance PDF Reader.
Like Automatic Updates in Microsoft Windows, the automatic updater application from Adobe will be welcome by consumers, as well as small and medium businesses that don't have the resources for a more formal patch management process. Larger companies will most likely still want to test and approve patches--rather than relying on silent updates--to ensure the patches will not adversely affect critical business applications.