Microsoft issued its Microsoft Security Bulletin Advance Notification for February 2010 yesterday. The notice warns that Patch Tuesday next week will see 13 security bulletins, tying October 2009 for the most security bulletins released in a single month.
January was an exceptionally light month for Microsoft security bulletins, with only one released on schedule on Patch Tuesday. However, revelations about an Internet Explorer zero-day exploit being used to launch attacks against Google and other companies in China led Microsoft to also issue an out-of-band update addressing the vulnerability in the Web browser.
Tyler Reguly, senior security engineer for nCircle expressed some "sticker shock". "As an information security professional, the first word that comes to mind when I see this advanced notice is "yikes!". nCircle VERT works all night to deliver local and remote detection to customers and this many bulletins means a long night requiring plenty of caffeine."
Reguly added "I'm most intrigued by bulletin number nine in the advanced notification. I'm curious to know what issue it is that plagues only Server 2008 and Server 2008 R2 in x64 configurations."
Jerry Bryant, senior security communications manager for Microsoft, described the upcoming Patch Tuesday in a blog post. "This month, we will be releasing 13 bulletins--five rated Critical, seven rated Important, and one rated Moderate--addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office."
Bryant's blog post also contains a table which lays out a grid describing Microsoft's guidance for urgency of deployment based on platform. Windows 2000 and Windows XP, the oldest operating systems tracked on the grid, are impacted the most by security issues rated as Critical.
Microsoft is scheduled to end all support for Windows 2000 and for Windows XP SP2 effective July 13, 2010. Bryant says "We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products."
Businesses still on Windows 2000 will be forced to upgrade to some other version of Windows, or an alternate operating system, or simply continue to rely on the archaic platform with the knowledge that Microsoft will no longer support or update it.
Companies that use Windows XP SP2 have a much easier solution because they can simply apply Service Pack 3. It is also worth noting that support for Windows Vista RTM ends April 13, 2010, so businesses that have deployed Windows Vista need to ensure systems are updated to Service Pack 1.
The Internet Explorer flaw identified in Microsoft Security Advisory 980088, released from Microsoft yesterday, will not be patched this month. Microsoft states in the security advisory that the vulnerability is not currently being exploited in the wild, and provides some steps to mitigate the threat and protect your systems pending an actual patch.
As Reguly suggested, IT administrators may want to start a pot of coffee and make sure the break room fridge is stocked with Mountain Dew. Next Tuesday will be the beginning of some long hours testing and patching.