Microsoft to patch Windows bug called 'Holy Grail' by one researcher

Announces next week's Patch Tuesday line-up, will fix 7 flaws in Windows, developer software

Microsoft yesterday said it would ship six security updates next week, only one critical, to patch seven vulnerabilities in Windows and a pair of for-developers-only programs.

This year's March Patch Tuesday will feature three more updates and three more patches than the same month in 2011, but will fix fewer bugs than the March roster in each of the years 2008-2010, according to records kept by Andrew Storms, director of security operations at nCircle Security.

One of the six updates was tagged "critical," the highest threat ranking in Microsoft's four-label system, while four were marked "important," the second-level rating, and the sixth as "moderate." One of the important updates, as well as the sole critical one, will patch bugs that Microsoft confirmed could be exploited by attackers to compromise PCs and plant malware on victimized machines.

Storms tried to parse the limited information Microsoft revealed in the advance notification for Patch Tuesday but came up mostly empty. "Overall, there's not much to go on here as we look to be back to lower numbers on a down month," said Storms during an instant message interview.

Storms was referring to Microsoft's habit of issuing a higher number of updates in even-numbered months.

In February, for example, Microsoft released nine security updates -- called "bulletins" in its parlance -- that patched 21 vulnerabilities.

Based on what Microsoft disclosed yesterday, Storms and other security experts pegged "Bulletin 1," the single critical update, as the one most users should apply first.

"It's rare to find a bulletin that transcends all versions of Windows," said Storms, referring to that update's applicability -- and critical rating -- for everything from Windows XP to Windows 7, Server 2003 to Server 2008 R2. "Either it's a serious bug in code that was never touched during all the reworks from XP all the way to Windows 7, or what we've got here is a bulletin with multiple bugs grouped together. It could be one vulnerability affecting older versions and another for the newer versions."

Wolfgang Kandek, the chief technology officer at Qualys, and Alex Horan, senior product manager for security intelligence at Core Security, also tagged that update as the most important of the month.

In an email Thursday, Horan called Bulletin 1 a potential "Holy Grail of exploit" because it will patch all versions of Windows, and thus will make a lucrative target for cybercriminal researchers searching for ways to hack PCs.

Bulletin 3, said Microsoft, also affects all supported versions of Windows, although the underlying flaw could be used by hackers only to obtain additional rights. So-called "elevation of privilege" vulnerabilities are often used by hackers in conjunction with other exploits to gain wider access to a computer or the network it is on.

Storms also called out Bulletin 3, which applies to Windows Server software, but not the client editions for desktops and notebooks.

"We've seen Server-only bulletins before," he said, "which makes sense, since the Server versions of Windows use different services. It's likely we will see the bug in some area that can only be installed on Server, [making] this of interest to the server ops guys at the table."

Besides the four Windows updates, Microsoft will also issue bulletins targeting bugs in Visual Studio 2008 and 2010, and Expression Design.

The latter is a professional-grade illustration and design tool for creating and editing images for websites that, according to Microsoft's records, has never received a security update. Bulletin 5, the one aimed at Expression Design, will address a bug that hackers could use to execute attack code.

Microsoft will release the six updates at approximately 1 p.m. ET on March 13.

Mozilla is also slated to update it Firefox browser to version 11 that same day.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies