Microsoft to patch Vista SP1, Server 2008 next week
Slates eight updates; one is 'critical' across the entire Windows line
April 3, 2008 12:00 PM ETComputerworld - Microsoft Corp. today said it will issue eight security updates next week, five tagged as "critical" to patch Windows, Office and Internet Explorer.
One of the critical Windows updates scheduled for next Tuesday affects every version of the operating system Microsoft supports, including the just-released Service Pack 1 for Vista and the newest server operating system, Windows Server 2008.
"That one has to be a pretty bad bug to be critical across the board like that," said Andrew Storms, director of security operations at nCircle Network Security Inc. "I would have expected a drop in criticality for Vista SP1, and most certainly in Server 2008. Something should have mitigated the vulnerability."
Apparently not, according to Microsoft's prepatch notification, which was posted to the company's Web site midday today. As usual, Microsoft revealed no details in the monthly preview of next week's "Patch Tuesday," but it did label each version of Windows -- including Windows 2000, XP, Server 2003, Vista, Vista SP1 and Server 2008 -- as critical.
Microsoft uses a four-step scoring system to rank vulnerabilities it discloses and patches. Five of the eight bulletins will be pegged critical, while the remaining three will be rated "important," the second-most-dire indicator.
Storms also noted that the patch affects the very newest versions of Microsoft's operating system. Windows Server 2008, for example, launched five weeks ago, and Windows Vista SP1 only became widely available two weeks ago.
"Oh, didn't Microsoft just release a whole bunch of protocols recently?" Storms asked rhetorically, referring to the interoperability announcement the company made in late February, when it promised it would publicly post details on the communications protocols and APIs of its newest software, Vista and Server 2008 included.
"All that proprietary information that they were holding on to, they released, didn't they?" Storms said, speculating that the disclosure might have prompted this critical patch.
Several security experts, Storms among them, agreed in February that Microsoft's decision to let anyone snoop through its software secrets meant vulnerabilities and exploits would almost certainly spike in the short run.
Also planned for Tuesday' release, said Microsoft's advance warning, are multiple updates for Internet Explorer and Microsoft Office. One of the two IE-specific updates, said the alert, will plug one or more critical holes in IE7, the current production version of the company's browser.
"We're even seeing critical patches for IE7," Storms said. "All the talk of Microsoft's browser getting better ... this may buck that trend," he added.
Both Visio and Project, two of the lesser-known applications in the Office line, will also be repaired by separate updates marked as important; almost certainly the vulnerabilities will be in those programs' document file formats, Storms said.
Microsoft will also release a fix for vulnerabilities in VBScript and JScript that it had once scheduled for February but had yanked at the last minute. No explanation was given for its withdrawal at the time, and the update didn't make it into the March batch.
The eight security updates will post Tuesday around 1 p.m. EST. Microsoft also said it plans to deliver several high-priority, nonsecurity updates at the same time, including one for Microsoft Office's antipiracy technology and another to Windows Live Writer. If Microsoft issues all eight updates, it will have released 25 through the first four months of the year, a pace that would exceed last year's 69 security bulletins.
Microsoft
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
