Tomorrow is the last Patch Tuesday of 2007 and it's pretty significant. According to Maximum PC's Mark Soper, Microsoft's getting ready to hand out significant security fixes for Windows 2000, XP, Vista, Windows Media Format runtime, Internet Explorer, and DirectX.
Soper shares that three of the seven patches in tomorrow's release are critical. He provides this description of what is being addressed. "First up is a remote code execution patch for DirectX versions 7.0 (Windows 2000) through 10.0 (Windows Vista). Multimedia users will also need to get patching with a remote code execution patch for Windows Media Format runtime for all Windows versions from Windows 2000 and Windows XP to Windows Vista). Third on the list of "must squash now" bugs is yet another remote code execution patch for Internet Explorer versions for Windows 2000, XP, and Vista all the way back to the pre-Cambrian version IE 5.01 SP4 and all the way forward to IE7 for Windows XP and Vista," Soper writes.
The other key question for tomorrow may be how Microsoft's Windows Server Update Services performs. Just prior to November's Patch Tuesday, Microsoft had to apologize twice in three weeks for problems. A story on PCWorld.com reported that a blog posting on Microsoft's site said that the most recent glitch was the result of a coding error in the database containing the list of products that the update tool supports.
Bobbie Harder, senior program manager in Microsoft's WSUS group wrote that a worker had put double quote marks around the word Nitrogen. Double quotes, she explained, are "a restricted character within WSUS, which created an error condition on the administration console."
Andrew Storms, director of security operations at nCircle Network Security Inc., said the double-quotes gaffe was pretty basic. "That's SQL Server 101. How that ever got through Microsoft's [quality assurance] is a real worry."
Managing patch deployment is serious business from both a vulnerability and compliance perspective. Evidence of exploits of previous vulnerabilities being made public on the Internet ahead of or almost simultaneous to the patch being made available makes the reliability of WSUS a critical subject.
It's difficult to pass up a free tool, but it would be wise to have additional resources available to at least audit the effectiveness of WSUS. Probably wouldn't hurt to have an alternate method of deploying patches, just in case.
Contributed by Mark Tordoff
Comments