Prepare for Record Onslaught of Patches from Microsoft
Next Tuesday will be Microsoft's Patch Tuesday for the month of October. IT admins, consider this your advance notice to clear your calendar for next week and prepare to address a record-setting 16 security bulletins.
Issuing 16 security bulletins in one month is a new record--besting the record of 14 security bulletins issued just two months ago in August. Addressing 49 different identified vulnerabilities in one Patch Tuesday also breaks new territory.
Andrew Storms, director of security operations for nCircle, explains, "October is usually a heavy month for Microsoft security bulletins and that trend definitely continues this year with a record setting 16 bulletins and 49 CVEs. The theory behind the larger October patch is that many industries go into 'lock-down' mode with their critical infrastructure as the end of year approaches. Finance and retail sectors in particular are extremely careful with changes in the latter part of the year given the heavy volume of online shopping."
The advance notification from Microsoft serves as a general heads up, but details regarding the patches are scarce. What we know is that a total of 16 security bulletins are planned, and that the breakdown of criticality is that four are projected to be Critical, ten Important, and two Moderate.
Another point worth mentioning is that all four of the Critical security bulletins apply to Windows 7 as well--although one of those four is the ubiquitous Internet Explorer cumulative update. Four Critical security bulletins for Windows 7 is unusual, though, as the security controls inherent in Windows 7 usually reduce or minimize the impact of vulnerabilities on the OS and demonstrate its superior security model over legacy platforms like Windows XP.
This record Patch Tuesday follows in the wake of an out-of-band update released during September to address a vulnerability with ASP.NET which could allow an attacker to gain access to privileged or sensitive information. Were it not for MS10-070, we might be looking at 17 security bulletins next week.
nCircle's Storms also notes, though, that, "The outstanding DLL load hijacking vulnerabilities are not specifically spelled out as being fixed this month. We'll have to wait and see how Microsoft chooses to address this issue."