Microsoft yesterday announced that it will release a dozen security updates next week, matching the patch record set a year ago. Seven of the 12 will be tagged with the company's highest threat ranking of 'critical'.
"There's not a Windows shop anywhere in the world that won't need to deploy at least one of these patches," said Andrew Storms, director of security operations at nCircle. And most will be taking all 12."
The tally matches the most delivered in any month during 2007 - that was February as well - and greatly outnumbers the two Microsoft handed over last month.
Storms made the case that both the width and depth of the updates means that virtually all parts of the Windows ecosystem will need attention next Tuesday.
"Not only are these across the board, but they're deep and wide, too," Storms said.
"It's applications as well as operating systems, on the client side and on the server side."
Among the dozen updates listed in the pre-patch notification posted to the Microsoft website yesterday are three slated for Microsoft Office, three for Windows, two for Internet Information Services (IIS), and one each for Internet Explorer, Microsoft Works, VBScript and JScript, and Active Directory.
Nor will the patches be limited to Windows, according to Microsoft. Several of the bulletins spell out fixes to Office 2004 for Mac.
But it's the sheer number of updates that struck Storms.
"Quite a few people are going to be working overtime next week, starting Tuesday," he said, referring to IT staff responsible for testing and deploying security updates.
Some past vulnerability trends also look like they're continuing, he added, pointing to the three Office updates. Each pegged an application in the Office 2000 edition with a "critical" vulnerability, but labelled the same bug only "important" in Office XP and Office 2003.
The same applications in Office 2007 on Windows and Office for Mac 2008 were missing from the list, indicating that they posed no risk.
"This is following the trend we've been watching for some time," Storms said. "The newer applications are more secure, as they should be since Microsoft has done more [security-related] work on the newer apps."
He speculated that the Office and Works flaws would turn out to be file format parsing issues - a good bet since the bulk of vulnerabilities uncovered in the past two years in those suites have been related to file format problems - and that one of the three Windows fixes may be related to the IP stack.
"In that bulletin, it's listed 'critical' on the client but only 'moderate' on Server 2003. That tells me there's something in the code base that's different [between the client and server versions of Windows]. It might be something to do with the IP stack, maybe another ICMP or IGMP vulnerability."
Last month's sole critical bulletin patched multiple protocol vulnerabilities in Windows, including one in Internet Group Management Protocol (IGMP); Microsoft updated the bulletin several times, adding Small Business Server and Windows Home Server to the original list of affected systems, and researchers countered the company's claim that an exploit would be tough to craft by coming up with one within days.
Microsoft will issue the 12 updates next Tuesday, as well as seven high-priority, non-security updates, five of which will be for parts of the company's Office line-up.