Today is the final Microsoft Patch Tuesday for 2010. It has been a busy year for Microsoft when it comes to security bulletins, and December is no exception as Microsoft closes out the year with a record 17 security bulletins. With only a week or so until many IT admins plan to kiss 2010 goodbye and break for the holidays, it is important to understand and prioritize the latest patches for quick implementation.
Joshua Talbot, security intelligence manager for Symantec Security Response breaks down the 2010 milestones for Microsoft. “Seventeen bulletins are the most ever issued in a single month. Also, Microsoft has now released 106 security bulletins in 2010–the first time topping the century mark since the Patch Tuesday program began. The next closest was 78 in 2006 and 2008. Finally, by Symantec’s count Microsoft far surpassed the number of vulnerabilities patched in a single year with 261. The previous record was 170 set last year.”
Depending on your perspective, 2010 either proves just how flawed and vulnerable Microsoft software is, or it illustrates how successful Microsoft has been at identifying and resolving vulnerabilities. I tend to side with the perspective that the software itself is not any more flawed than previous years–in fact possibly less–but that Microsoft has become more agile at addressing vulnerabilities as they are discovered.
A Microsoft spokesperson sent along some guidance. “Microsoft encourages customers to test and deploy all updates as soon as possible to help prevent criminal attacks on their computers.”
Microsoft provides the Severity and Exploitability Index, as well as a Deployment Priority guide to help IT admins asses the risk and prioritize the updates. As a part of that guidance, Microsoft stresses that the two Critical security bulletins–MS10-090, the security bulletin addressing Internet Explorer vulnerabilities, and MS10-091, the security bulletin related to flaws in the Windows operating system–be given priority attention.
Andrew Storms, Director of Security Operations for nCircle, agrees with the urgency for the IE update. “The most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November. With more and more people shopping online this time of year, it’s important for everyone to patch their browsers.”
“Many of the patches are deemed as “important,” and a very low amount marked as “critical” vulnerabilities,” said Dave Marcus, director of security research and communications at McAfee Labs. “It seems the majority of Patch Tuesday’s are bringing record numbers of updates, and other applications from Adobe, Oracle have increasing numbers as well. The threat landscape is clearly broadening, and if organizations wait to patch, it gives cybercriminals an opportunity to exploit data.”
A spokesperson for Webroot e-mailed me to stress that IT admins go the extra mile to test and implement patches as quickly as possible before taking off for the holidays. “People should apply the patches as soon as they can to remain fully protected against malware. It doesn’t take exploit kit creators long to build new exploits once patches have been released, so getting the fixes applied before new exploits hit the net is going to be a race against time.”
Webroot also points out that most of the patches require a reboot to complete, and that systems that update while users are away over the holidays could be at risk of losing data in open files on the desktop. Webroot suggests, “People might want to either fully power down a work PC if you’re going to be away from the office or at least save all your work and close any open apps so you don’t lose anything when Windows Update tries to force the PC to reboot during the patch installation.”