Security Experts:

Microsoft to Plug 21 Security Vulnerabilities for Patch Tuesday

Microsoft is prepping nine security bulletins to patch 21 vulnerabilities next week as part of Patch Tuesday.

This month’s update features fixes for Microsoft Windows, Office, Internet Explorer and .NET/Silverlight. Four of the bulletins are rated ‘Critical.’ In particular, these bulletins affect Windows, the .NET Framework, Silverlight and Internet Explorer. The remaining bulletins are all rated ‘Important.’

“It’s surprising that this month’s patch affects almost every Windows operating system -- each OS is affected by five of the eight applicable bulletins,” noted Andrew Storms, director of security operations at nCircle. “That’s kind of weird because newer OS versions are generally more secure. It’s even more surprising that Windows Server 2008 R2 is affected by the greatest number of bulletins. Generally, we see fewer bugs on server side operating systems, and this is doubly true for Server 2008 since so many of its newer mitigations and default settings protect the OS even when bugs are found.”

Marcus Carey, security researcher at Rapid7, said the first bulletin is a core operating system vulnerability that affects all modern deployed workstations and servers, and noted the fourth bulletin is the third critical update during the last few months that patches .Net and Silverlight.

“Media players and browser plug-ins are very popular attack vectors these days as browsers are effectively taking the role of operating systems for users and so anything that can exploit the browser directly or indirectly will receive attention with exploit development and research,” he said. “This Patch Tuesday will certainly affect all organizations and home users. Since many of these require restart, organizations should test, patch and plan for downtime while their services are restored.”

Microsoft is scheduled to release the updates Feb. 14 at 10 a.m. PST.