Microsoft releases 7 patches for July 2006

Microsoft today released 7 patches as a part of their monthly patching cycle popularly known as patch Tuesday. Of the 7 patches, five are rated as critical (the highest rating given by Microsoft) and two are rated as important. All the five critical patches involve some kind of remote code execution. I won't go in details of the patches here as they are covered more in depth and more competently elsewhere. My objective is to analyse the trend of the vulnerabilities and its impact.

In reality Microsoft is patching up at least 10 vulnerabilities in this patch cycle with bulletins MS06-35, MS06-38 and MS06-39 resolves two vulnerabilities each and the bulletin MS06-37 updates several vulnerabilities in Microsoft Excel. Also of the 7 patches 3 are related to Microsoft Office Suite and 2 are for its application platform (.NET and IIS) along with Windows. All the three patches related to Microsoft Office have received the highest severity rating of Critical.

Microsoft and the hackers focus now seems to have shifted from the OS to the application suite now. It is not like the OS is very secure, but the holes are now becoming harder to find and exploit and the application suite is still virtually untouched in terms of security updates. It would be prudent for IT managers to expect more vulnerabilities being disclosed and patched in the coming cycles. If the OS patching cycle and frequency is anything to go by, then it is going to be a long cycle of patching and catching up.