There is no way around it this month – if you use any supported version (and a couple of unsupported ones) of any of their operating systems or Office packages, you will be in for a round of updates in a couple of days. Patch Tuesday will bring new code for all included above, as there are that many things with problems, and in need of update. There will also be patches for the provider’s programming tools as well.
There are 64 vulnerabilities in all for this round, which if not an absolute record, must be close to one, since the monthly patch intervals began. These will be addressed in 17 patches, which includes 9 rated critical, and the other 8 as important.
The operating systems which will see updating are Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7. There are 9 critically rated bugs, and Vista is the big loser here, with all 9 affecting those operating systems, Windows XP is affected by 7 of the 9, and Windows 7 by 8 of the 9 listed. One again, it reinforces what I’ve said over and over, Microsoft just does not learn from its mistakes, making the same ones over and over with each new OS, and then finally fixing them en masse, after they become exposed.
According to a researcher noted in a Computerworld article, by the name Mandt –
In spite of the security measures introduced [in Windows 7, it] is still susceptible to generic kernel pool attacks.
The good news is that Mandt did state that he felt Microsoft would eventually harden the kernel, where the problems are, as the mitigations involved were rather easily accomplished, yet he declined to state why if that was so, that it had not already been done.
Mandt had fully noted [pdf] the kernel attack method which affects Windows 7, in a paper released at a Black Hat conference earlier this year, so the methods are out there, for those who wish to try and employ them.
Also probably due to get patched are the exploits in Internet Explorer 8, which was embarrassingly easily hacked just recently, at a contest to see how easily browsers were hacked. A man named Stephen Fewer had easily gained access to a system using Internet Explorer 8, and those bugs, while removed from the IE9 code before final release, have not been removed from the IE8 codebase. Internet Explorer 6 and IE 7 will also be patched, this perhaps being the last noteworthy patch done on Internet Explorer 6, as Microsoft tries desperately to move that version into oblivion.
With the Office products, there is no escaping the need for a patch, whether you are using the product on a PC or a Mac, as both have problems. Office XP, Office 2003, Office 2007, Office 2010, Office 2004 for Mac, Office 2008 for Mac and the newest Office 2011 for Mac, are all going to feel the sting from patches applied this month, as multiple vulnerabilities have been never fixed through those versions.
The Microsoft programming tools are also getting repairs, which is good, as by doing so, they will be putting forth new code, less susceptible to the hacks of many that know how to exploit these built-from-the-start problems. Visual Studio and Visual C++ will both feel the changes applied, so that attacks on the GDI subsystem (the graphics rendering system for Microsoft products) are eliminated.
April 12 will be a long day for the Microsoft servers, and just might be a long day for some others, as when so many problems are addressed at once, the chances for difficulties multiplies. The usual practice of letting a machine update silently may be one to eschew this time around, especially if you have one of those magic combinations that gets more than its share of those 17 patches applied. Watching for the odd error so that you may be a bit more aware of what might be the problem could be a lifesaver; as well as doing a system restore point on Monday!