News

Third-Party Software Flaws Spawn Heavy April Patch Tuesday for Microsoft

After a light Patch Tuesday in March, Windows security experts can expect a deluge of updates next week, based on Microsoft's advance notice on Thursday.

Microsoft plans to roll out 17 patches on Tuesday, with nine categorized as "critical" and eight as "important." No less than 15 of the scheduled 17 patches address remote code execution (RCE) attacks. The remaining two address elevation-of-privilege and information disclosure threats.

"No matter how you look at it, it's ugly," said Paul Henry, forensic and security analyst at Lumension. "We're well into a new year and things have not improved. In fact, they've gotten worse."

The recent expansion in the number of Microsoft's security bulletins comes from a spike in vulnerabilities affecting third-party software designed to run on Windows or that users with Windows systems download, Henry explained.

"All of this is further evidence that our methods of securing our systems just aren't up to par," Henry said. "Again and again, Microsoft falls victim to third-party software causing a major breach. Everyone blames Microsoft month after month for patching issues, but this is not just a Microsoft issue. Unless we're going to get busy patching this garbage we're installing on our systems, it's going to continue to be an issue."

Critical Fixes
The first critical security bulletin appears to be the long-awaited cumulative fix for Internet Explorer. It will address every supported Windows operating system and covers IE 6, 7 and 8 browsers.

The remaining eight critical security bulletins are all Windows OS-level fixes with RCE exploit risks. Critical security bulletin No. 6 also includes a fix for Microsoft Office.

Important Fixes
The important security bulletins are a hodgepodge of updates that affect various programs, including Office and development tools, along with Windows. Word, Excel and PowerPoint are all in the patch crosshairs for April.

All 17 updates may require restarts. With the growth of vulnerabilities and patches, it may be helpful to some Windows IT pros to check out the newly released Microsoft Security Update Guide, an aid for keeping track of patches and evaluating threat risks.

Administrators can also check this Knowledge Base article for information about nonsecurity updates being pushed out via Windows Update, Microsoft Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • Microsoft Says System Center 2022 Will Arrive Early Next Year

    Microsoft is planning to release its new System Center product in the first quarter of 2022, with a private preview arriving within months.

  • Microsoft Talks Up Windows Server 2022's Azure Integrations

    Windows Server became available on Sept. 1; last week, Microsoft gave the product its official unveiling, focusing on all of the other products and services it will work with.

  • 2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.