Network News

X My Profile
View More Activity

Microsoft Issues Record Number of Security Updates

Microsoft Corp. issued a record-breaking number of software security updates today, shipping patches that plug at least 31 different security flaws in its Windows operating systems and other software.

More than half of the security holes Microsoft plugged with June's patch batch earned a "critical," severity rating, meaning Redmond believes attackers could exploit the flaws to break into vulnerable systems without any help from the victims. What's more, Microsoft is warning that it expects to see publicly available reliable exploit code for most of the vulnerabilities it has issued patches for today.

According to Symantec Corp., this is the largest number of vulnerabilities Microsoft has ever addressed in a single patch release (the previous record was set in Dec. 2008, when Microsoft issued 28 security updates in one go).

Probably the most important of today's updates is a critical patch that addresses at least eight security holes in various versions of Microsoft's Internet Explorer Web browser, including IE8. In fact, one of the flaws patched in IE8 was first demonstrated at a hacking competition in Canada in March. Microsoft says that particular flaw does not affect the Windows 7 release candidate (RC), but does affect Windows 7 Beta. The IE 8 updates for the Windows 7 Beta are available here.

"These weaknesses actually appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities," said Ben Greenbaum, senior research manager for Symantec Security Response, of the IE flaws.

Another update patches two security holes in Microsoft's Internet Information Services (IIS) Web server software. Andrew Storms, director of security operations for vulnerability management company nCircle, notes that instructions explaining how to exploit one of those IIS flaws already is available online.

"Anyone running IIS that isn't using the available mitigation steps should jump on this one right away because there are exploits in the wild, and an exploited server can allow attackers to gain unauthorized access to protected resources on your Web site," Storms said.

Microsoft also released an update that plugs at least seven holes in Microsoft Office Excel. These vulnerabilities are most serious on Office 2000 installations, but those users can't get these updates from Windows Update. Rather, Office 2000 users should visit this link (requires Office 2000 Service Pack 3 to be installed, and you may need to have the original Office 2000 installation CD on hand to apply this update).

Last month, Microsoft shipped a single patch to plug some 16 security holes in various versions of its Powerpoint software. The company said at the time that it was still working on fixing those flaws in the Powerpoint versions in Office for Mac and Microsoft Works. Today, Microsoft addressed those Mac and Works vulnerabilities in a separate Powerpoint patch rollup.

The patches are available through Windows Update or via Automatic Updates.

By Brian Krebs  |  June 9, 2009; 4:49 PM ET
Categories:  New Patches , Safety Tips  | Tags: june 2009 patch tuesday  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: The Fallout from the 3FN Takedown
Next: Adobe Issues Security Updates for Reader, Acrobat


Are you recommending that it's safe to download all of the patches?I'm confused about this because I have read that it is not safe to patch right away.Should I wait to patch?

Posted by: forry777 | June 10, 2009 6:47 AM | Report abuse

This is starting to get so very old, we pay top dollar for this software and for the upgrades to new versions (Win XP to Vista is costly, even as an upgrade), and still have to go through all these updates and patches. You would think they could get it right just one time and that the upgrades would be a bit less expensve. Sometimes I think it's time for a Mac.

Posted by: citigreg | June 10, 2009 7:57 AM | Report abuse

I've never heard anyone suggest that consumers i.e. individual Windows users not install patches (with the exception of organizations that have to worry about patches working it legacy systems).

I think the important question here is where you read that and is it a reliable source. I'd trust any patch from the manufacturer of the product before any outside source.

Posted by: huristm | June 10, 2009 9:08 AM | Report abuse

citigreg - I'm confused about what you said. What makes updates expensive for you? Also, you should be aware that updates are not exclusive to Microsoft. Updates are commong for every type of software available. If anything, you sould be wary of any software you are running that does not get regular updates.

Posted by: huristm | June 10, 2009 9:11 AM | Report abuse

I'm with huristm. No software -- or any system for that matter -- is completely free of design flaws. Any product that doesn't have a weakness or a flaw would be perfect and, as most of us are aware, nothing is perfect. Is Unix/Linux perfect? Nope. Apple? I don't think so. Imperfection is part and parcel of computing and patching is part of that reality.

While constantly releasing patches and all of the attendant noise that comes from known weaknesses is annoying, I am glad that Microsoft puts the time and effort into creating patches for its software instead of leaving it up to the user community to come up with their own fixes. Sure, I have to worry about my systems but I sleep better knowing that MS is at least supporting their products.

Posted by: JoStalin | June 10, 2009 9:47 AM | Report abuse

huristm: citigreg stated upgrades are expensive, not updates and on this point he is correct. Having only switched to Vista this year, now I'm looking at how much to move up to 7? Unlike many, I've no problems with Vista, regardless of the amount of programs I'm running on this OS. Be assured, with the exception of IE8, I take full advantage of all updates. IE8 is fine on the laptop, but is a disaster on the desktop. Go figure!

Posted by: cjswan | June 10, 2009 10:27 AM | Report abuse

Will SOMEONE please explain to me, why we cannot stop this (better yet PREVENT it)!

This is ridiculous!!!!!!!!!!!!

QUESTION: Under the current systems, will this just get worse?? Or do we need a paradigm shift, and start over (before this hole gets bigger)??

Posted by: gregczar | June 10, 2009 10:30 AM | Report abuse

After installing today's updates & rebooting, Firefox showed a message for one new addon installed...
Going through my addon list, though, I could not find one with today's date listed. And I don't recall installing anything since breakfast.
I can't help but think that MS snuck one in on us.
I removed the .NET extension previously, & thought it might be that, but it's not there, either.

Did anyone else notice this?

Posted by: j0nharris | June 10, 2009 12:46 PM | Report abuse

If we create harsher laws world wide to deal with the people that exploit these weekness's, then we wouldn't have this problem.

My solution. ;o) Corrdinated counter attack by IBM, AT&T, Microsoft, Sun, Oracle, and all major ISP's against any and all machines identified to have tried to exploit holes in private/buisness systems. Hit these idiots with everythign we have, fry their computers, take them out. Nuke em. Let them feel the pain they have caused to others. No holds barred.

Bet that would shut down alot of the problems every day citizens of the world would have to deal with with regard to computers.

Posted by: LiberalBasher | June 10, 2009 12:47 PM | Report abuse

i installed service pack 1 for vista a couple months ago, but got a message saying my key was invalid, which is weird since its on the laptop i was using, so i used system restore and havent been using the updates since then. is there a way to fix this problem, so i can resume updating?

Posted by: jeremyharewood | June 10, 2009 1:46 PM | Report abuse

This month's updates were quick and easy on my SP3 system early this morning, with no problems so far.

Posted by: Bartolo1 | June 10, 2009 2:08 PM | Report abuse

Here is where I have been reading that it is not safe to patch right away.The sit is called ask Here is the post for June 5,2009:

With ten patches on the way next Tuesday, and many of the problems with older patches fixed, it’s time to get patched up. Unfortunately, there’s a long list of problematic patches that you should studiously avoid.

Here are the ones I suggest you pass by:

Windows Vista Service Pack 2/KB 948645 is causing problems. Dennis O’Reilly talks about some of them in the latest Windows Secrets Newsletter. There’s no pressing need to install Vista SP2, and the PC you toast may be your own. Hold off for now. If you really want to install SP2 and it isn’t offered by Automatic Update, check out KB 948343 for a list of potential problems. Worth noting: that KB article is up to version 14.0. And you trust this stuff?

Office 2007 Service Pack 2 / KB 953195 has a few problems - just look at the “Known Issues” list at the end of the KB article. Again, there isn’t enough new stuff to justify putting your computer at risk. Patience.

KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. The Knowledge Base article is up to version 5.0. This is the one that includes the drive-by installation of a difficult-to-remove add-on for Firefox. I’m beginning to think that it’ll never get fixed - you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) - or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

Sorry to leave you with such a patchwork quilt of good and problematic patches, but I think you’d be well advised to apply all outstanding patches except the ones listed above.
Office Patches/Security, Windows Patches/Security ActiveX killbit, Conficker, IE 8, Internet Explorer 8, KB 936929, KB 948343, KB 948645, KB 950718, KB 951847, KB 953195, KB 960715, KB 967715, NET Framework patch, Office 2007 SP2, Vista SP2, Windows XP SP3

Posted by: forry777 | June 10, 2009 2:39 PM | Report abuse

Protecting Your Most Critical Information By John Watkins, Attorney with Chorey, Taylor & Feil, PC: Trade secrets and confidential information truly are the crown jewels of many businesses. This is the information that allows businesses to compete effectively, and that provides a competitive edge. Despite the critical nature of this information, my experience is that many business people do not understand what they should be doing to protect the crown jewels. I repeatedly see posts on LinkedIn and elsewhere asking for a “form” or a link to a “free site” to get an NDA. Given the potential value of the information, this cavalier approach is surprising.

Posted by: anthonymfreed | June 10, 2009 2:51 PM | Report abuse

Gee whiz, Pretty soon the only thing loaded on my PC will be Microsoft Patches!!!

Posted by: Badwisky | June 10, 2009 4:18 PM | Report abuse

Microsoft is true genius. Take a look at it. Every new version of a microsoft product is 'safer' than it's predecessor and 'lesser safe' than it's successor. You are perpetually advised to buy an 'update' in order to raise security. In short, microsoft is trading the vulnerabilities of their own, making money from them, instead of been punished for having them in the first place.

Alternative products -some of which are freeware- appear considerably more secure than microsoft's own. OK fellas, keep consuming.

Posted by: skata3 | June 10, 2009 4:46 PM | Report abuse

Anthony -- I welcome comments, but each of yours seems to be a bit off-topic and nothing more than a plug for your Web site. Please don't make me block you. Thanks.

Posted by: BTKrebs | June 10, 2009 5:19 PM | Report abuse

I have my computer set for Windows automatic updates but all fail except for Windows Defender. Have rerun basic program twice, same result. Cannot locate periodic vital updates on Windows website.

Posted by: Tinkerboy | June 11, 2009 10:33 AM | Report abuse

Don't you love the irony that hackers who create viruses, who see themselves as outside the system, have created a multi billion dollar a year industry in security protection of which they don't get anything. Saps.

Posted by: 18k_ | June 11, 2009 12:41 PM | Report abuse

Bottom line: Microsoft has too much code. There's no way they'll ever be able to get it all under control. As JoStalin writes, no system is completely free of flaws. However, when you manage the massive amounts of code Microsoft does, major problems are inevitable. Get used to more reports like this.

Interestingly, MSFT was called out as an example secure software in a recent study. The lesson here is that no matter what process and technologies you have in place, flaws--major ones--will happen. We can commend MSFT for at least providing the patches as quickly as they did.

Posted by: SecurityDude | June 11, 2009 12:47 PM | Report abuse

Microsoft included IE 8 in the critical updates today. I declined installation, because I wasn't sure whether it was necessary. Is there any good reason to upgrade to IE 8 when IE 7 is just fine for my use? (Brian, if I missed a column where you discussed this, I apologize.) Thanks.

Posted by: JBV1 | June 11, 2009 4:03 PM | Report abuse

I had the option to upgrade to IE8 today as well. I usually stick with Mozilla, so I didn't bother to update.

@anthonymfreed: It is sad that the only link to your blog is from the blog spam you have posted here. Perhaps you should target a contextually relevant site, or be cool enough that Mr. Krebs would look to interview you for some legitimate plugging.

Posted by: BadSecurity | June 11, 2009 5:01 PM | Report abuse

the updates on 9 June 2009 killed my computer. wednesday it started to act squirrely and then on thursday the computer completely froze and on the reboot everything came unglued.

am now stuck in an infinite reboot sequence - does not matter which option i choose - will not reboot / start and just recycles back to the start of the reboot.

i am forked as i am poor and cannot afford repairs nor do i know anybody who can repair for me.

Posted by: flo_mo_t | June 13, 2009 2:14 PM | Report abuse

I agree with most of what you write in this article but I do have one additional thing to append to it.
I think most of the problems with security on our computers is due not to hackers trying to get into our machines, but due to advertizers and companies using every unscrupulous method there is to gain access to us and to "mine" our data in order to sell us something we may not even want.
It is an epidemic if you ask me. I don't think hackers trying to destroy my computer are near the threat to its smooth running as our my "friends" trying to make me want to buy something. That and the incessant attempt to have me buy an unneeded update etc.
I can admit to circumventing ways to verify I am using a valid program, but I cannot afford to constantly upgrade my computer programs. I estimate it to cost several hundred a year to do that and I am living on ss only. I see Linux as at least a way to survive this onslaught of buying all the time just in order to remain as I am. I do not need every new program there is.
Maybe some day when all these sellers cause the internet to collapse from the sheer number of spam etc, there will be a real penalty for what they do to us. I can only hope!

Posted by: electroken | June 15, 2009 10:31 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company