Microsoft to patch Vista SP1, Server 2008 next week

Computerworld - Microsoft Corp. today said it will issue eight security updates next week, five tagged as "critical" to patch Windows, Office and Internet Explorer.

One of the critical Windows updates scheduled for next Tuesday affects every version of the operating system Microsoft supports, including the just-released Service Pack 1 for Vista and the newest server operating system, Windows Server 2008.

"That one has to be a pretty bad bug to be critical across the board like that," said Andrew Storms, director of security operations at nCircle Network Security Inc. "I would have expected a drop in criticality for Vista SP1, and most certainly in Server 2008. Something should have mitigated the vulnerability."

Apparently not, according to Microsoft's prepatch notification, which was posted to the company's Web site midday today. As usual, Microsoft revealed no details in the monthly preview of next week's "Patch Tuesday," but it did label each version of Windows -- including Windows 2000, XP, Server 2003, Vista, Vista SP1 and Server 2008 -- as critical.

Microsoft uses a four-step scoring system to rank vulnerabilities it discloses and patches. Five of the eight bulletins will be pegged critical, while the remaining three will be rated "important," the second-most-dire indicator.

Storms also noted that the patch affects the very newest versions of Microsoft's operating system. Windows Server 2008, for example, launched five weeks ago, and Windows Vista SP1 only became widely available two weeks ago.

"Oh, didn't Microsoft just release a whole bunch of protocols recently?" Storms asked rhetorically, referring to the interoperability announcement the company made in late February, when it promised it would publicly post details on the communications protocols and APIs of its newest software, Vista and Server 2008 included.

"All that proprietary information that they were holding on to, they released, didn't they?" Storms said, speculating that the disclosure might have prompted this critical patch.

Several security experts, Storms among them, agreed in February that Microsoft's decision to let anyone snoop through its software secrets meant vulnerabilities and exploits would almost certainly spike in the short run.

Also planned for Tuesday' release, said Microsoft's advance warning, are multiple updates for Internet Explorer and Microsoft Office. One of the two IE-specific updates, said the alert, will plug one or more critical holes in IE7, the current production version of the company's browser.

"We're even seeing critical patches for IE7," Storms said. "All the talk of Microsoft's browser getting better ... this may buck that trend," he added.

Both Visio and Project, two of the lesser-known applications in the Office line, will also be repaired by separate updates marked as important; almost certainly the vulnerabilities will be in those programs' document file formats, Storms said.

Microsoft will also release a fix for vulnerabilities in VBScript and JScript that it had once scheduled for February but had yanked at the last minute. No explanation was given for its withdrawal at the time, and the update didn't make it into the March batch.

The eight security updates will post Tuesday around 1 p.m. EST. Microsoft also said it plans to deliver several high-priority, nonsecurity updates at the same time, including one for Microsoft Office's antipiracy technology and another to Windows Live Writer. If Microsoft issues all eight updates, it will have released 25 through the first four months of the year, a pace that would exceed last year's 69 security bulletins.