by Gregg Keizer Patch Tuesday Will Challenge IT with Core Updates
Patch Tuesday will launch a big workload for IT departments with a critical Windows core update requiring reboots for all supported Windows versions. The patches also plug spoofing holes in Windows, including Server 2000. Patch Tuesday will not include a fix for an Excel vulnerabililty that Microsoft said could allow remote code execution.
Microsoft plans to deliver three security updates -- including one critical fix -- for the March Patch Tuesday. However, Redmond will not issue a patch for an Excel flaw that attackers are actively exploiting. Tuesday's updates will address vulnerabilities in Windows. The critical update plugs holes in editions of Windows the company still supports. The update ranked "important" will protect against spoofing bugs in Windows and Server 2000.
"Along with the spring weather, March is bringing one of the most disruptive Patch Tuesdays we've seen in a while," said Paul Henry, security and forensic analyst for Lumension. "What's interesting about this series of patches is that they affect all Windows operating systems, which are impacted by the remote code execution, implying that it could be comprised through malicious code -- something we'll have to confirm on Tuesday."
A Mammoth Undertaking
According to Henry, the critical patch is going to be a huge undertaking for IT administrators. That's because the broad platform impact of the bulletin suggests that core services -- rather than isolated application components -- of the Windows operating system need to be modified. Any patching of the core infrastructure opens up other applications to potential risk. The bottom line: A simple patch deployment is impossible this coming Patch Tuesday.
"To make sure this is secure, IT departments will have to do a scan of the entire system as well as reboot all Windows machines in the entire enterprise . When at the server software level, rebooting is a very disruptive event, making servers further exposed to vulnerabilities," Henry said.
In order for this vulnerability to be removed, he continued, IT will have to bring down the servers with the additional challenge of continuing to maintain service-level agreements. Given the breadth of this critical update, he said, all resources at Microsoft are likely engaged in getting this patch precise.
If the critical update isn't enough to keep IT administrators busy, the two important updates that also affect Windows operating systems will be. Henry said it's likely that all three patches are related. Vulnerabilities one and two have the exact same exposure, so a definite link exists between the two.
"Something to note about the important bulletins is that spoofing is not what you would consider a direct attack, but an ingredient to attacking individuals," Henry said. "It could be a targeted approach or broader, but with spoofing you are fundamentally breaking the way security works -- at least to the end user."
The Missing Patch
What about the Excel patch? Microsoft warned of a vulnerability in Excel last week that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Microsoft said it was aware only of limited and targeted attacks that attempt to exploit the vulnerability.
According to Microsoft, an attacker would have to host a Web site that contains an Office file used to exploit this vulnerability. An attacker would have to convince users to visit the Web site, typically by getting them to click a link that takes them to the attacker's site, and then convincing them to open the specially crafted Excel file.
Regardless of this exclusion of the Excel patch, Henry said there is no doubt that this Patch Tuesday presents a hefty load for IT requiring an intense amount of planning, work and execution to ensure that enterprise devices are secure.