Microsoft To Fix 49 Bugs With 16 Patches Tuesday

Microsoft is slated to release a monster 16-patch security bulletin for its Patch Tuesday release, covering a total of 49 vulnerabilities in Windows and Microsoft Office.

Microsoft gave four of the 16 patches the highest severity ranking of "critical," while 10 were rated "important" and two listed as "moderate."

Meanwhile, nine of the patches repair vulnerabilities that can lead to remote code execution, indicating that an attacker can launch malicious code remotely on a victim's computer in order to take take complete control of the affected system or shut it down altogether. All 16 patches may require a restart for them to be appropriately installed.

One outstanding feature of this month's patch load is that it may include the first ever fix for Office 2010, security experts say.

id
unit-1659132512259
type
Sponsored post

"The Office software on that site, Office itself, Office Web apps, Sharepoint -- this is possibly the first patch for all of that," said Tyler Reguly, technical manager for security and development at network security firm nCircle.

Next: October A Patch Heavy Month

Security researchers say that it's unclear whether the October bulletin will include a fix for outstanding DLL load hijacking vulnerabilities. "We'll have to wait and see how Microsoft chooses to address this issue," said Andrew Storms, director of security operations for nCircle, in an e-mail.

The October update comes just a few weeks after Microsoft released an out-of-band patch repairing a vulnerability affecting all versions of the ASP.NET framework running on the Windows Server operating system, which enables hackers to access, view and alter encrypted information from an organization's Web server.

Security experts said October is usually a patch-heavy month before Microsoft starts winding down for the holidays in November and December.

"October is usually a heavy month for Microsoft security bulletins and that trend definitely continues this year with a record setting 16 bulletins and 49 CVEs (common vulnerabilities and exposures patches)," Storms said. "The theory behind the larger October patch is that many industries go into 'lock-down' mode with their critical infrastructure as the end of year approaches. Finance and retail sectors in particular are extremely careful with changes in the latter part of the year given the heavy volume of online shopping."

Last October's patch was similarly sized, comprising 13 bulletins covering 34 vulnerabilities.

Next: Long Night Ahead, Researchers Say

"It definitely seems to be proven when you look at the numbers. October is where they look to get most of their patching out of the way for the end of the year," Reguly said.

As such, researchers are anticipating a long night ahead of them next week.

"From the researcher side, we're just dreading this," Reguly said. "We're stocking up on the Red Bull and are getting ready for an all-nighter."