Administrators hoping for a light month for patching in February are going to be left feeling disappointed. Microsoft is due to release 13 bulletins for February's Patch Tuesday that address 26 different vulnerabilities in its software products. In fact, five of them carry the maximum "critical" rating, with another seven rated as important. The final bulletin has been rated as moderate.
For the uninitiated, Patch Tuesday takes place on the second Tuesday of every month. This bumper crop of 13 bulletins ties the record for the most security updates released in October 2009.
Sure to send security administrators and IT managers scrambling, the critical updates span the three most common Microsoft server platforms, including Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. To make matters more challenging for administrators, one of the bulletins requires rebooting patched servers and desktops.
Desktop operating systems affected by the critical updates range from Windows 2000 and Windows XP (five critical bulletins), Windows Vista and Windows 7 (three critical bulletins).
None of the critical patches pertains to the Microsoft Office suite of applications, which is probably scant comfort here.
Senior director of solutions and strategy at security outfit Lumension, Don Leatham, summed up February's Patch Tuesday this way:
IT departments are facing the need to deploy a large number of patches to all Microsoft computers in the organization with many forced reboot situations. Therefore, it will be imperative to plan ahead this month on how these patches should be deployed throughout their enterprises to minimize the possibility of widespread disruption.
There is no word about a fix for a new flaw in Internet Explorer that was recently demonstrated at Black Hat. This vulnerability allows an attacker to browse users' files with impunity. If you asked me though, I'll recommend that SMBs should just ditch Internet Explorer for some other browser.