Microsoft Plays Catch-Up With Biggest Patch Drop

Patch Tuesday

Microsoft released a record-setting batch of patches today, including fixes for several zero-day threats that have gone without official patches for a month or longer.

As Microsoft (NASDAQ: MSFT) promised last week in its advance notification about the patches to come today — as part of its regular “Patch Tuesday” roundup of software updates — this drop fixes a number of holes that have been nagging Microsoft users for weeks.

Tuesday’s collection of patches fix 34 bugs with 13 patches, 22 of which are rated “critical,” including fixes for two holes in Windows 7, which won’t even debut officially until the end of next week.

In fact, this is the largest batch of fixes that Microsoft has ever released at once, up from 31 holes patched back in June.

“Today marks the largest patch Tuesday ever from our friends in Redmond … covering a total of 34 potential exploits,” Josh Phillips, a virus researcher at Kaspersky Lab, said in an e-mail. “Three of the exploits have had public code posted while 11 of them are rated as likely to be consistently exploitable.”

For October, besides fixing newly disclosed bugs, the company is addressing other critical problems that have been nagging Microsoft and IT shops for some time.

One patch aims to shore up a zero-day vulnerability in Windows’ implementation of the popular File Transfer Protocol (FTP) that was disclosed in early September.

A second patch fixes another zero-day hole, also discovered in early September. It involves Microsoft’s implementation of the System Message Block version 2 file sharing protocol, known as SMB2.

Though Microsoft had previously issued workarounds for both problems, the only completely safe options prior to the fixes were to disable or block both protocols — unfortunately, they were functions some users rely on.

Other patches, for instance, fix additional holes found in a zero-day that Microsoft patched last summer. The zero-day takes advantage of flaws in what is called the Active Template Library, or ATL.

Other bug patches fix holes in Windows Media Player, problems with Internet Explorer, and flaws in Silverlight.

For Windows 7, the Patch Tuesday update delivers fixes for two critical holes. The software is set to ship to consumers on Oct. 22.

“Microsoft released the first-ever security update for the Release To Manufacturing version of Windows 7,” Ben Greenbaum, senior research manager for Symantec Security Response, said in an e-mail. One of the updates that “addresses vulnerabilities in Windows 7 relates to the Active Template Library issues Microsoft has been working on for a number of months now,” he said.

The second patch fixes several flaws in the way that Internet Explorer works with Windows 7 — one of which had already been publicly disclosed as a zero-day bug. That and another Windows 7 patch also fix critical holes in Windows Server 2008 R2 — which shares the same kernel as Windows 7.

Microsoft’s patches for October are available here.

News Around the Web