Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Sets Record With Monster Patch Tuesday

Posted by kdawson on from the one-a-day dept.

CWmike writes "Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.'"

3 of 237 comments (clear)

  1. Re:Microsoft is too big to fail by shanen · · Score: 4, Interesting

    Acknowledged. I should clarify that I am thinking of a Warhol Worm that includes a rooted backdoor for a large-scale DDoS attack. We've already had plenty of problems with zombots around 10^4, but imagine the hassles of a 10^7 zombot... I don't think it would be possible to simply cut the infected machines off the net, but rather it would be necessary to partition the entire network and rebuild in pieces.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  2. Re:This is a good thing by wvmarle · · Score: 3, Interesting

    A proper patch would imho only be able to break existing functionality if:

    • it changes the behaviour of a publicly documented API (it shouldn't but it can be documented),
    • the software providing the functionality uses an undocumented API or uses a bug workaround, the first it shouldn't do in the first place and the second is up for debate whether it's good to do or not.

    Changing a documented API should happen only between OS version changes, the second is more likely. And considering the number of bugs and undocumented API calls included in Windows that may well be a serious issue. Documenting the patch will never warn one of these issues: the undocumented API calls are, well, undocumented so technically they do not exist, and it is impossible to know beforehand which bug workarounds there are in software, if any.

    So assuming MS writes their patches properly, no documented functionality will change. It may change to what the documents say it does, it may internally change giving the same end result - so no matter the documentation, testing would be the only way to make sure that your specific set of third-party or in-house software still works.

    And I'm sure the above accounts for open source software as much as it does for closed source.

  3. Re:The positive side of the Borg icon by Just+Some+Guy · · Score: 3, Interesting

    Squashing 31 vulnerabilities in a single patch, is, in a word, efficient.

    Well, that's one way to positively spin "sat on patches until there were enough to bother with".

    --
    Dewey, what part of this looks like authorities should be involved?