Admins face record numbers of security fixes
Security vendors have started to react to yesterday’s barrage of security fixes released by Microsoft, saying the sheer volume of bulletins and subsequent patches is sure to give administrators problems coming as they do just one week before Microsoft is expected to officially release Windows 7.
Microsoft today released 13 security bulletins that cover a total of 34 vulnerabilities, the most vulnerabilities ever addressed on a single patch day. The previous record was set in June when Microsoft addressed 31 vulnerabilities in ten bulletins.
Jason Miller, security manager at Shavlik Technologies explained that of the 13 security bulletins released, eight have a severity rating of critical and the remaining five a severity rating of important “For the first time, Windows 7 and Windows 2008 R2 are affected by security bulletins,” he added.
The view is that having to fix security vulnerabilities in the as yet-to-be-released operating system indicates that version 7 will bring little change when it comes to the security of Windows.
“Microsoft is setting new records on security fixes in 2009,” said Dave Marcus, McAfee Labs director of security research. “Once again patching will be especially challenging for enterprises, which will need a solid risk management strategy to test and prioritise the fixes to fend off potential attacks.”
Among the patches, Microsoft has moved to address problems with its Internet Explorer browser that should help stop users being affected if they visit a specially crafted web page that can lead to remote code execution.
Two other bulletins fix problems affecting media playing on target systems, Shavlik said.
Previously if a user opened a malicious streaming media file (ASF), an attacker could gain complete control of the system through remote code execution.
On fix is for Windows Media Player, and addresses one software vulnerability encountered by a user navigating to a directory containing a malicious file through Explorer. Before the fix, simply browsing to the folder, without opening the file, could have triggered the exploit.
Windows 7 is due October 22.