Busy Patch Tuesday Piles Work on Sysadmins

Microsoft (Nasdaq: MSFT) released 11 security updates to patch 17 vulnerabilities on Tuesday, by far its largest release in a year.

There were five critical and six important updates, the two highest levels issued by the software company. The patches cover a wide range of Microsoft products from Word, Publisher and the Office suite down to Microsoft Works, its Web server applications and Vista's implementation on the desktop.

The updates come less than a month after vendors such as Skype, Adobe Systems (Nasdaq: ADBE) and Apple (Nasdaq: AAPL) issued a series of patches. The sheer number of patches released within the past two weeks has placed IT departments in the unenviable position of trying to catch up with potentially malicious crackers.

"After several slow Patch Tuesdays, administrators are faced with the most patches they've seen in a year," Paul Zimski, senior direcor of market strategy with Scotsdale, Ariz.-based Lumension Security, told TechNewsWorld. "Because so many critical patches affect so many applications, these are widespread enough to have a bigger effect than we've seen in a year and they are going to require the utmost attention and energy."

The Web Server Problem

While the Office suite patches are likely the most important for day-to-day operations, the most time-consuming patches involve the Internet Information Services (IIS), which are Internet-based applications for Windows servers, Andrew Storms, director of security for San Francisco-based nCircle, told TechNewsWorld.

Many companies write code for their Web sites, which means any patch that is deployed will need to be tested to make sure that the systems work properly with the home-grown code. If the two systems don't work together, companies could lose their Web sites until the patch can be fixed. Companies could roll back the fix, but that would leave their Web site vulnerable to attacks, said Storms.

"It's going to take some time to test and deploy the IIS patches," said Storms. "That means the hackers have a longer time to seek out exploits in the system."

Patch Tuesdays

At the end of the day, though, Storms said the updates -- while taxing for IT departments -- are a normal part of Microsoft's operation.

The company releases security updates on the second Tuesday of each month. The number of fixes varies, depending upon the testing and research process. Last February, the company released 12 patches. Last month, it released two.

Microsoft has hired a series of private companies -- and its own security experts -- to look for flaws, which it then uses to develop patches. Once the systems have been tested, they are released to the general public.

"Microsoft has hired its own security folks -- along with other private vendors," said Storms. "This is likely the culmination of its release cycle. It's not necessarily out of the norm. Microsoft likely believed that these high-risk patches needed to be released now."