Microsoft made the most of this month’s regular Patch Tuesday, putting out a dozen patches highlighted by a fix for the serious, zero-day Word vulnerability that has been the basis for targeted attacks since it was uncovered last month.
Microsoft also patched seven other “critical” vulnerabilities, three less-severe “important” vulnerabilities, and a “moderate” problem with Windows 2000 SP4.
While grappling with the Windows security issues, Microsoft has signaled that the days of such regular, required software patching may be numbered with its upcoming Vista operating system and new security software, but there was no shortage of skepticism among industry security experts.
“I think Vista will have just as many [vulnerabilities], and we will experience a vulnerability for the first Patch Tuesday after Vista is released,” IT-Harvest Founder and Chief Analyst Richard Stiennon told TechNewsWorld, adding that Microsoft had already affirmed his prediction by having to patch, outside of its regular schedule, the beta version of Vista for the serious Windows Metafile (WMF) vulnerability in January.
Biggest Patch Release
This week’s collection of patches, part of Microsoft’s regular schedule on the second Tuesday of the month, was the largest the software giant has released so far, VeriSign iDefense Senior Engineer Ken Dunham told TechNewsWorld.
He said a number of the vulnerabilities addressed by the latest batch allow for remote execution of code, a significant danger to IT security.
“So everybody’s trying to triage,” Dunham said.
Windows Media Malware?
Much of the focus from Tuesday’s patch release from Redmond centered on the recently-discovered Word vulnerability, described as zero-day, meaning there was not a patch for the vulnerability at the time an exploit was developed and released into the wild.
However, the attacks that have leveraged the Word hole so far have been targeted, and the exploits are actually “very closely held” by attackers, according to Dunham.
He stressed the significance of other critical vulnerabilities, though, including a Windows Media Player Portable Network Graphics (PNG) hole that allows remote code execution and could be trouble.
“That is possible to exploit through the Web, e-mail, skins and other things,” Dunham said. “In the next week or so, that could become a more serious issue.”
Security Volume and Vista
Even though Microsoft has made the patches available, there is no guarantee users will install the security fixes, Stiennon said.
Microsoft’s Patch Tuesdays, which began in October 2003, had been helpful for security administrators, but the sheer number of required patches is still painful, something that Stiennon believes will continue with Vista.
“I think it’s still the volume that’s significant,” he said. “And it’s in the same time period they’re introducing Antigen and OneCare, and getting ready to release their antivirus. I think it’s kind of ironic, just the juxtaposition of events.”