Microsoft to patch Vista SP1, Server 2008 next week
Slates eight updates; one is 'critical' across the entire Windows line
Computerworld - Microsoft Corp. today said it will issue eight security updates next week, five tagged as "critical" to patch Windows, Office and Internet Explorer.
One of the critical Windows updates scheduled for next Tuesday affects every version of the operating system Microsoft supports, including the just-released Service Pack 1 for Vista and the newest server operating system, Windows Server 2008.
"That one has to be a pretty bad bug to be critical across the board like that," said Andrew Storms, director of security operations at nCircle Network Security Inc. "I would have expected a drop in criticality for Vista SP1, and most certainly in Server 2008. Something should have mitigated the vulnerability."
Apparently not, according to Microsoft's prepatch notification, which was posted to the company's Web site midday today. As usual, Microsoft revealed no details in the monthly preview of next week's "Patch Tuesday," but it did label each version of Windows -- including Windows 2000, XP, Server 2003, Vista, Vista SP1 and Server 2008 -- as critical.
Microsoft uses a four-step scoring system to rank vulnerabilities it discloses and patches. Five of the eight bulletins will be pegged critical, while the remaining three will be rated "important," the second-most-dire indicator.
Storms also noted that the patch affects the very newest versions of Microsoft's operating system. Windows Server 2008, for example, launched five weeks ago, and Windows Vista SP1 only became widely available two weeks ago.
"Oh, didn't Microsoft just release a whole bunch of protocols recently?" Storms asked rhetorically, referring to the interoperability announcement the company made in late February, when it promised it would publicly post details on the communications protocols and APIs of its newest software, Vista and Server 2008 included.
"All that proprietary information that they were holding on to, they released, didn't they?" Storms said, speculating that the disclosure might have prompted this critical patch.
Several security experts, Storms among them, agreed in February that Microsoft's decision to let anyone snoop through its software secrets meant vulnerabilities and exploits would almost certainly spike in the short run.
Also planned for Tuesday' release, said Microsoft's advance warning, are multiple updates for Internet Explorer and Microsoft Office. One of the two IE-specific updates, said the alert, will plug one or more critical holes in IE7, the current production version of the company's browser.
"We're even seeing critical patches for IE7," Storms said. "All the talk of Microsoft's browser getting better ... this may buck that trend," he added.
Both Visio and Project, two of the lesser-known applications in the Office line, will also be repaired by separate updates marked as important; almost certainly the vulnerabilities will be in those programs' document file formats, Storms said.
Microsoft will also release a fix for vulnerabilities in VBScript and JScript that it had once scheduled for February but had yanked at the last minute. No explanation was given for its withdrawal at the time, and the update didn't make it into the March batch.
The eight security updates will post Tuesday around 1 p.m. EST. Microsoft also said it plans to deliver several high-priority, nonsecurity updates at the same time, including one for Microsoft Office's antipiracy technology and another to Windows Live Writer. If Microsoft issues all eight updates, it will have released 25 through the first four months of the year, a pace that would exceed last year's 69 security bulletins.
Read more about Security in Computerworld's Security Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts