Microsoft today said it would deliver nine security updates next week, four of them critical, to patch 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net and Silverlight.
This year’s February Patch Tuesday will feature three fewer updates and one less patch than 2011’s.
Four of the nine updates were tagged “critical,” the highest threat ranking in Microsoft’s four-step system, while the other five were marked “important,” the second-level rating. All of the critical updates and two of those pegged important will patch bugs that Microsoft admitted could be exploited by attackers to hijack computers and plant malware on PCs.
One interesting thing in today’s advance notification, said Andrew Storms, director of security operations at nCircle Security, was the impact on Windows Server 2008 R2, Microsoft’s newest server operating system.
“Seven Windows- and IE-related bulletins are applicable to Server 2008 R2, but Windows XP [32-bit] has only four. It’s another lopsided month,” said Storms, referring to past Microsoft claims that older software receive more security updates than newer titles.
That upside-down pattern has been prevalent lately. “If it keeps up, pretty soon ‘lopsided’ won’t be lopsided,” Storms said in an interview.
Another sign is the difference in the number of bulletins that affect Windows XP and Windows 7: One critical update is not applicable to the 10-year-old Windows XP, but does affect both 2007’s Windows Vista and 2009’s Windows 7.
Storms and several other security experts who weighed in via email unanimously pointed to the IE update as the one users will want to deploy first.
Microsoft patches its browser every other month.
“Last month, we saw how quickly attackers are incorporating browser-based attacks into their toolkits,” Wolfgang Kandek, chief technology officer of Qualys, said in an email today. “An exploit for MS12-004 was detected a mere 15 days after Patch Tuesday.”
MS12-004 was issued Jan. 10 to quash a pair of bugs in Windows Media Player that could be exploited using “drive-by” attacks triggered when users simply browse to a malicious site. Two weeks later, antivirus firm Trend Micro said browser-based attacks leveraging a Media Player bug were already circulating.
Marcus Carey, a security researcher at Rapid7, agreed with Kandek. “We’re seeing a great many browser patches from Microsoft these days because researchers and attackers have realized that browser exploits have the most potential for harm and are currently the best attack surface,” Carey said.
Next Tuesday’s IE update will address one or more vulnerabilities in all versions of the browser, from the decade-old IE6 to last year’s IE9. Storms pointed out that IE6’s update is graded as “moderate,” third on Microsoft’s scale, while the newer browsers’ patches will be pegged critical or important, depending on the version and operating system.
“The conclusion we can draw is that while IE6 is still vulnerable, [the bug] may be harder to get at than the other versions,” said Storms. “But they’ll patch it anyway.”
Other updates will tackle vulnerabilities in Visio 2010, a diagramming application that’s part of the Office family; SharePoint Server 2010; and the .Net and Silverlight frameworks, which are used by developers to craft applications and websites.
None of the updates scheduled to ship next week appear to be connected to an unsolved security advisory, Storms said.
Microsoft will release the nine updates at approximately 1 p.m. ET on Feb. 14.
“That’s Valentine’s Day,” noted Storms. “I can bet that some will be using it as an excuse that they forgot.”
Unless Microsoft issues a surprise security update after next Tuesday — unlikely, as it shipped just one “out-of-band” patch in all of 2011 — next week’s batch will be the last from the company before its Windows 7 and Internet Explorer 9 face exploits at this year’s Pwn2Own hacking contest, which will kick off March 7 and wrap up two days later.