Microsoft (NASDAQ: MSFT) will ship 13 bug patches in next week’s “Patch Tuesday” drop — eight of them rated “critical” — the company’s most severe security ranking.
Of those, seven fix problems in Windows, according to Microsoft’s advance notice sent out Thursday.
Tuesday also carries a rather dubious distinction: It will fix the largest number of security holes ever, beating out June’s Patch Tuesday record of 31 holes fixed.
Overall, the 13 patches coming Tuesday fix a total of 34 holes in the company’s software, according to a post on the Microsoft’s Security Response Center (MSRC) Team blog Thursday.
Microsoft releases most patches for its products on a regular monthly cycle, on the second Tuesday of the month, thus the name “Patch Tuesday.”
Beyond the record, what may be most important about Tuesday’s patch release are patches to block two zero-day holes that have been nagging the company for more than a month.
For one, the patches aim to fix a vulnerability in Windows’ implementation of the popular File Transfer Protocol (FTP) that was discovered in early September.
A second patch will fix another zero-day hole discovered a few days later. It involves Microsoft’s implementation of the System Message Block version 2 file sharing protocol, referred to as SMB2.
Although Microsoft has issued workarounds for both problems, the only completely safe options are to disable or block both protocols. That can be problematic, however, as they generally disable functions some users rely on.
“Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible,” the blog post said.
Microsoft rarely releases information on a bug until a patch is available, so the advance notices do not contain much more detailed information about specifically what will be fixed on Patch Tuesday.
This time, the range of operating systems versions affected stretches from Windows 2000 Service Pack (SP) 4 through Windows XP and Windows Vista, as well as Windows Server 2003 up through Server 2008 Release 2 — although not all patches affect all versions.
One patch also affects Windows 7 running Internet Explorer 8.
The eighth critical patch fixes holes in two Microsoft Office applications, including both Outlook 2002 and 2003 (SP3) and Outlook 2007 SP1 and SP2, as well as Visio Viewers versions 2002, 2003, and 2007.
Besides that, other Microsoft software that’s affected by this month’s fixes includes SQL Server 2000 and 2005, Silverlight, and Visual Studio 2003, 2005, and 2008.
The other five patches, all rated “important” — Microsoft’s second-most severe rating — also affect Windows, including two that affect Windows 7.