Microsoft’s Biggest Bug Stomp Ever

Microsoft on Tuesday delivered ten security bulletins, six of them labeled “critical” — including one in Internet Explorer (IE) that affects the latest version, IE8, which just shipped in March.

All told, June’s patch drop fixes a total of 31 vulnerabilities, making for a whopping amount of work for anyone who has to test and validate the fixes.

“June’s Patch Tuesday is generating a major workload for IT administrators. Microsoft released their biggest number of patches in recent memory,” Wolfgang Kandek, CTO of Qualys, told in an e-mail.

Security experts warned that IT staffers could be overwhelmed by what may be Microsoft’s (NASDAQ: MSFT) largest patch drop.

The company already warned IT staffers last week in its monthly pre-notification that this patch drop would be back to normal after May’s single patch. However, sheer the volume of the patches was not clear at that time.

Besides IE, other critical bugs that Microsoft patched this month include holes in Active Directory, the Windows print spooler and problems with Microsoft Office Word and Excel.

Microsoft releases a series of monthly patches on the second Tuesday of each month, a release schedule aimed at improving predictability for IT staffers tasked with installing and testing bug fixes. Relatively speaking, with fixes for 31 individual holes, June’s is a large group of patches to deal with.

If he had to choose only one patch to make sure IT administrators installed immediately, Don Leatham, senior director of solutions and strategy at security firm Lumension, said the choice is clear.

“The Internet Explorer patch is the one we identified as the biggest opportunity for disruption within organizations,” Leatham told That patch (MS09-019) actually fixes a total of seven security holes in IE, he pointed out.

“Four of the seven bugs are simple HTML parsing issues … [and] every Web page at its core is HTML,” Leatham added.

He has company on both counts.

Ben Greenbaum, senior research manager at Symantec Security Response, also sees the IE problems, as well as the fact that this is the first patch for IE8, as important reasons to fix it quickly.

“The four Internet Explorer fixes that address HTML object memory corruption vulnerabilities … appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities,” Greenbaum said in an e-mail to

Microsoft also quietly fixed one outstanding bug —
a hole in the way older versions of Microsoft’s Internet Information Server handle HTTP requests — for which it issued an advisory in late May.

That one was a so-called “zero-day” bug, since code to exploit the hole was already in circulation at the time Microsoft released the patch, which is numbered MS09-020.

What Microsoft didn’t fix this Patch Tuesday was a hole in Windows XP that the company warned customers about on May 29, after active attacks had already begun.

That’s not necessarily a surprise. The company typically takes a month to a month-and-a-half to patch newly discovered bugs that are important enough to rate a Security Advisory, as it did in that case.

“As expected, we did not see a patch for the DirectShow vulnerability,” Kandek said.

News Around the Web