Tuesday's Patch Will Be a Windows Wash

Microsoft today signaled that a hefty batch of security fixes will arrive on Tuesday.

Microsoft's has tended to break its own records of late. In the past six months, Patch Tuesdays have seemed more like "Fat Tuesdays," at least in terms of the volume of fixes contained in the monthly patch. February's patch looks to be no different. According to Microsoft's advance notice, it will contain 13 fixes -- five "critical," seven "important" and one "moderate" fix.

"This amount of bulletins make this the busiest February we've seen from Microsoft, with only four [seen in February of] last year and an average of 11 to 12 [bulletins seen] in the three years prior," said Sheldon Malm, senior director of security strategy at Rapid7.

"All eyes will be on Internet Explorer, given last month's out-of-band update and the current zero day [bug] affecting older versions and instances where Protected Mode is disabled."

Critical Items
The five critical security fixes will be targeted toward most Windows operating systems, according to Microsoft's advance notice. Every fix will be associated with remote code execution (RCE) security implications across several as-yet-unspecified Windows components. The most pressing Windows component so far this year from a security perspective has been Internet Explorer, expert say.

While the critical fixes apply across most Windows OSes, there will be a couple of exceptions. Critical patch No. 2 will not affect Vista, Windows 7 or Windows Server 2008. Critical patch No. 4 only touches on Vista and Windows Server 2008.

Important Items
The seven important items will be a mixed bag of RCE, elevation-of-privilege and denial-of-service exploit patches affecting both Windows components and Microsoft Office applications. Every supported Windows OS is affected in some form or another.

For the Office fixes, only Office apps sitting on Office XP, Office 2003 and Office 2004 for Mac will be affected.

Moderate Item
The lone moderate fix will only touch on the Windows 2000 and Windows XP operating systems as a patch for an RCE exploit.

It will be a busy day next Tuesday if the advance notice is any indication. Security experts anticipate no less than 20 vulnerabilities targeted in the February patch. All 13 security items may require a system restart.

"None of the operating systems escaped this month's updates. Even the latest versions of Windows have been hit hard this month, with six updates for Vista, eight for Server 2008, and five for Server 2008 R2 and Windows 7," Malm said in reference to the advance bulletin. "I won't be surprised if Microsoft is playing catch-up on some lingering vulnerabilities from last year."

If any IT administrators still have time for nonsecurity updates, they can check out this Knowledge Base article. It describes updates arriving via Windows Update, Microsoft Update and Windows Server Update Service.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.