Yes, it is that time again. Time flies when you're having fun. The seventh Patch Tuesday of 2011 is next week on July 12. Microsoft predicts that we will see a meager four security bulletins next week, but don't let the small number fool you--there is a Critical security bulletin affecting Windows 7 and Windows Vista.
The light Patch Tuesday will certainly be welcome by IT admins--many of which are probably still trying to dig out and implement the updates from the 16 security bulletin avalanche that hit in June.
Amol Sarwate, Vulnerability Labs Manager for Qualys, explains, "The highest priority update is rated "Critical" and only affects Windows 7 and Windows Vista. The second highest priority will most likely be bulletin four--which fixes a remote code execution in Visio 2003 SP3."
Paul Henry, Security and Forensic Analyst at Lumension, cautions, though, "While this Patch Tuesday may appear insignificant with just four patches (a quarter of what we saw last month), the reality is that it will be rather disruptive, as all the patches impact Windows and Office and require a restart."
Henry adds that the cycle of detecting vulnerabilities and racing to patch them is fundamentally flawed. "This is an issue many technology providers consistently deal with and if they care about their users, will attempt to resolve. Of course, their attempts to stay on top of these updates are often in vain, as it's a function that is becoming ever more frequent and critical."
Andrew Storms, Director of Security Operations for nCircle, comments, "The good news is we can expect a light month and that's always a relief after a massive patch like the one we had in June. It's hard to read the tea leaves with Microsoft, but we are expecting the usual updates to older versions of Microsoft Office."
The concerning thing, though, is the security update aimed at Windows 7 and Windows Vista. Storms stresses, "On the OS side, bulletin one looks interesting because it only affects Windows7 and Vista. It's always a concern to see vulnerabilities in the most recent Microsoft desktop operating systems."
Generally speaking, legacy operating systems and applications are affected by more vulnerabilities, and the impact of those vulnerabilities is more severe than on the more current operating systems and applications. It is out of the ordinary to have a vulnerability that only affects Windows 7 and Windows Vista--but it also makes sense. These newer operating systems are fundamentally different than Windows XP and other predecessors, so they are bound to encounter issues that simply don't exist in the older platforms.
Consider this smaller Patch Tuesday a belated Independence Day gift from Microsoft, but don't take it too lightly.