Nine critical updates for Patch Tuesday

By | August 9, 2006

This Patch Tuesday, Microsoft released 9 critical patch updates for issues that could allow remote code execution – 3 browser-related vulnerabilities, 3 Windows vulnerabilities, an Office vulnerability in PowerPoint, and 2 other critical vulnerabilities, of which the Windows and Browser issues are likely highest risk for most customers due to wide usage within a typical network.

Four out of the nine critical patches actually supersede previously published patches, and in total around two dozen CVE (Common Vulnerabilities and exposures) vulnerabilities are fixed by new patch updates this Patch Tuesday.

Because security vulnerabilities are usually errors unintentionally put in code by programmers, the chances of finding a new vulnerability in an adjacent area of code or functionality is much more likely than your chances of identifying a brand new and unique vulnerability. This issue can be seen clearly in the number of patches that “supersede” one another – where the same buggy code has been fixed again and again. Software bugs are a lot like roaches, if you find one, there are likely many more lurking somewhere close by.

Also with over 120 new vulnerabilities across all platforms and applications reported last just last week (a rate of 6,000 new vulnerabilities per year!) – clearly the rate of vulnerability discovery is still outpacing the number of patches being released.

Between the backlog of unpatched issues, and the chances of new vulnerabilities being discovered in adjacent areas, PatchLink sees a clear trend towards exploits coming out before patches are available – and “Exploit Wednesday” is likely to become a reality sooner rather than later.”

The issue of backlog across all applications and operating systems will have a greater impact on the IT organisation – unpatched issues that still need to be fixed by the respective vendors. From the IT administrator’s side, the only thing they can do is ensure that their systems are up to date and ready to patch once the patches are released using best practices guidelines.

Leave a Reply