Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Record patch Tuesday: What you need to know

Microsoft is putting out 17 security bulletins, and IT admins have little time to apply the patches before the holidays

Today is the final Microsoft Patch Tuesday for 2010. It has been a busy year for Microsoft when it comes to security bulletins, and December is no exception as Microsoft closes out the year with a record 17 security bulletins. With only a week or so until many IT admins plan to kiss 2010 goodbye and break for the holidays, it is important to understand and prioritize the latest patches for quick implementation.

Joshua Talbot, security intelligence manager for Symantec Security Response breaks down the 2010 milestones for Microsoft. "Seventeen bulletins are the most ever issued in a single month. Also, Microsoft has now released 106 security bulletins in 2010--the first time topping the century mark since the Patch Tuesday program began. The next closest was 78 in 2006 and 2008. Finally, by Symantec's count Microsoft far surpassed the number of vulnerabilities patched in a single year with 261. The previous record was 170 set last year."

Depending on your perspective, 2010 either proves just how flawed and vulnerable Microsoft software is, or it illustrates how successful Microsoft has been at identifying and resolving vulnerabilities. I tend to side with the perspective that the software itself is not any more flawed than previous years--in fact possibly less--but that Microsoft has become more agile at addressing vulnerabilities as they are discovered.

A Microsoft spokesperson sent along some guidance. "Microsoft encourages customers to test and deploy all updates as soon as possible to help prevent criminal attacks on their computers."

Microsoft provides the Severity and Exploitability Index, as well as a Deployment Priority guide to help IT admins asses the risk and prioritize the updates. As a part of that guidance, Microsoft stresses that the two Critical security bulletins--MS10-090, the security bulletin addressing Internet Explorer vulnerabilities, and MS10-091, the security bulletin related to flaws in the Windows operating system--be given priority attention.

Andrew Storms, Director of Security Operations for nCircle, agrees with the urgency for the IE update. "The most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November. With more and more people shopping online this time of year, it's important for everyone to patch their browsers."

"Many of the patches are deemed as "important," and a very low amount marked as "critical" vulnerabilities," said Dave Marcus, director of security research and communications at McAfee Labs. "It seems the majority of Patch Tuesday's are bringing record numbers of updates, and other applications from Adobe, Oracle have increasing numbers as well. The threat landscape is clearly broadening, and if organizations wait to patch, it gives cybercriminals an opportunity to exploit data."

A spokesperson for Webroot e-mailed me to stress that IT admins go the extra mile to test and implement patches as quickly as possible before taking off for the holidays. "People should apply the patches as soon as they can to remain fully protected against malware. It doesn't take exploit kit creators long to build new exploits once patches have been released, so getting the fixes applied before new exploits hit the net is going to be a race against time."

Webroot also points out that most of the patches require a reboot to complete, and that systems that update while users are away over the holidays could be at risk of losing data in open files on the desktop. Webroot suggests, "People might want to either fully power down a work PC if you're going to be away from the office or at least save all your work and close any open apps so you don't lose anything when Windows Update tries to force the PC to reboot during the patch installation."

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Adobe, Andrew, McAfee, Microsoft, nCircle, Oracle, Symantec, Webroot
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: firewalls, Microsoft, network security, patches & drivers, security
Latest Blog Posts
Whitepapers
  • Enabling Agile and Intelligent Businesses
    In the last 3 to 5 years there has been widespread adoption of SOA with businesses making significant economic investments in service-enabling their IT systems. Looking to enable your business for efficient IT execution? Read this white paper now.
    Learn more »
  • Reconciling Datacenter consolidation and security: It starts with an integrated approach
    There is no question that datacenter consolidation has gone mainstream. A recent IDG Research survey of IT managers found that three out of four organizations are in the midst of, or just completing, consolidation of multiple applications or systems onto a smaller number of servers. Improving performance and availability was the key driver of consolidation efforts for 85% of those surveyed.
    Learn more »
  • Guidance for Calculation of Efficiency (PUE) in Data Centers
    The benefits of determining data center infrastructure efficiency as part of an effective energy management plan are widely recognised. The standard metrics of Power Usage Effectiveness (PUE) and its reciprocal Data Center Infrastructure Efficiency1 (DCIE) have emerged as recognised standards. This paper defines a standard approach to collecting data from data centers and showing how to use it to calculate PUE, with a focus on what to do with data that is confusing or incomplete.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments