Microsoft plans to deliver a record 17 security updates next week to patch 40 vulnerabilities in Windows, Internet Explorer (IE), Office, SharePoint and Exchange.
Among the 40 patches will be two that address a pair of bugs that hackers have already exploited.
"I really was not expecting 17," said Andrew Storms, director of security operations at nCircle Security. "I expected 10 at the most."
The 17 updates, Microsoft calls them "bulletins", are a record, beating the count from October 2010 by one. The bulletins that will ship next Tuesday will include 40 patches, Microsoft said, nine fewer than the record set last October, but six more than the next-largest months of October 2009 and June and August of this year.
The total bulletin count for the year 106 was also a record, as was the number of vulnerabilities patched in those updates: 266.
Microsoft defended the blistering bug patching pace of 2010.
"This is partly due to vulnerability reports in Microsoft products increasing slightly ... [and to the fact that] Microsoft supports products for up to ten years," said Mike Reavey, the director of the Microsoft Security Response Center (MSRC), in a post to the team's blog today. "Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports."
But it was December's big number that caught Storms' eye.
"The sheer number is quite surprising for December," said Storms. In the past three years, Microsoft has issued no more than nine updates in December, he said. "And while Microsoft doesn't necessarily take its cues from the rest of the world, the fact is many organisations won't patch a lot of these until after the first of the year," Storms continued.
Not only will enterprise IT staffs be short-handed this month what with holidays and vacation time but they will be unlikely to risk problems that could crop up in patching during such an important time of the year for their business.
"In this case, there might be less risk involved by doing nothing," said Storms. "That's especially true of companies, like those in the financial sector, that have locked down their networks since early November."
Many firms forbid patching the last two months of the year to insure that their hardware continues to operate, said Storms.
Two of the 17 updates were tagged with Microsoft's "critical" label, the highest threat ranking in its four-step scoring system. Another 14 were marked "important," the second-highest rating, while the remaining update was labeled "moderate."
Ten of the updates could be exploited by attackers to remotely inject malicious code into vulnerable PCs, Microsoft said in its usual bare-bones advance notification . Microsoft often labels remote code executable bugs, the most dangerous, as important when the vulnerable components are not switched on by default or when other mitigating factors, such as defensive measures like ASLR and DEP, may protect some users.
Among the fixes slated for next week will be one that addresses an already-disclosed vulnerability in all supported versions of IE, said Reavey.
In early November, Microsoft disclosed the zero-day IE bug and confirmed that attacks were already circulating . It was unable to craft and test a patch in time to make it into that month's security update, which appeared six days later.
Next week's IE update is one of the two marked critical, and will affect all versions of the browser with the possible exception of IE9, which is still in preview mode.
Microsoft also intends to patch the last of four Windows vulnerabilities that were used by the notorious Stuxnet worm to infiltrate industrial control systems, said Reavey. As far as Microsoft knows, the bug, which lets attackers elevate access privileges on a compromised PC, has not been exploited by malware other than Stuxnet.
Exploit code for that vulnerability, however, has been available on the Internet for several weeks.
Of the 17 updates, 13 will affect one or more versions of Windows, two will patch Office and Microsoft Works on Windows, and one each will address bugs in the Exchange and SharePoint server software.
Storms was concerned about the Exchange update.
"Anytime it has to do with e-mail, it's concerning," he said, adding that because the server must face the outside world, there may be easily-exploited attack vectors. "SharePoint, on the other hand, is usually very well protected inside the network," he said.
Also of interest, Storms said, was what Microsoft today identified only as "Bulletin 2," an update that affects all versions of Windows, but was tagged as critical for newer editions, including Windows Vista, Windows 7 and Server 2008. The same bulletin was marked as important for the older Windows XP and Server 2003 operating systems.
The Microsoft patch burden this month will be especially tough for administrators to deal with, because of other events, notably the WikiLeaks release of confidential US diplomatic messages, and the resulting retaliatory distributed denial-of-service (DDoS) attacks against firms like Amazon, MasterCard and PayPal.
"It is enough that IT administrators are addressing the current DDoS service attacks surrounding WikiLeaks where anyone could very quickly become a target, but now organizations also have to address this disruptive Patch Tuesday from Microsoft with 17 bulletins," said Paul Henry, a security analyst at Lumension, in an e-mail Thursday.
"There's more than enough to handle at the moment without this Patch Tuesday," added Storms. "There's the ongoing WikiLeaks attacks and then there are always zero-days released around Christmas."
Storms was confident that Microsoft would include workarounds for the most egregious of next week's bugs that will help organizations and users protect themselves if they were unable to apply the security updates.
"That's something that Microsoft is actually been very good at lately," said Storms. "I expect that they'll deliver a decent set of mitigations."
Microsoft will release the 17 updates at approximately 1 pm ET on Dec. 14.