Microsoft promises 12 patches next week

Computerworld - Microsoft Corp. today said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista.

Of the 12 updates it sketched out in the advance notification issued this morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking.

"We almost have a baker's dozen," said Andrew Storms, director of security operations at nCircle Network Security Inc. "What struck me was the complete depth of Microsoft software that the updates will touch this month."

As is its practice, Microsoft divulged little information about each update, limiting the disclosure to naming the affected software and spelling out in only general terms the nature of the bugs.

Four of the seven critical updates will patch Office, with three of those aimed at Access, Excel and PowerPoint. Another update, downgraded to important, will patch one or more bugs in Word, the suite's word processor.

The other critical updates will fix unspecified flaws in Windows, IE and Media Player 11, the edition included with Windows Vista.

Microsoft acknowledged that each of the seven critical updates would fix flaws that could be exploited remotely, an indication that they were among the most serious of vulnerabilities, and could potentially be used to hijack PCs.

At least one of the vulnerabilities has already been exploited by hackers. A flaw in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, generated a security advisory a month ago today, when the company warned that criminals were actively tricking users into visiting a malicious Web site in order to compromise their computers.

A week later, Symantec Corp. researchers reported that a popular attack kit had been updated with a Snapshot Viewer exploit, and warned of more attacks.

Storms speculated that the critical IE patch was also required to plug the ActiveX hole. "The bug could be a cross-over to multiple programs," he said, noting that that is often the case in an ActiveX bug.

Microsoft may also be patching IE to quash a bug first reported in 2006, but which returned to the limelight in May when security researcher Aviv Raff claimed that it could be combined with a flaw in Apple Inc.'s Safari. At the end of that month, Microsoft warned users of the blended threat and recommended that people stop using Safari. Apple has since patched Safari and Mozilla Corp. also updated Firefox to stop possible blended attacks using its browser, but Microsoft has yet to fix the flaw.

Of the five bulletins tagged important, two will patch vulnerabilities in Windows, while one each will address issues in Outlook Express and Windows Mail, the Messenger instant messaging client and Word. Ironically, only the newest versions of Windows -- Vista and Server 2008 -- will need to be patched by both Windows-specific updates. Earlier editions, including Windows 2000, Windows XP and Windows Server 2003, will require only one of the pair.

The dozen patches should keep IT administrators busy, but the work will be different, and possibly less stressful, than last month, said Storms, when they had to test and roll out several less-critical updates to server-side software, including a fix for the DNS vulnerability that's been in the news the last month.

"It will be a different kind of work this month," he said. "The potential for downtime is a little less, for one thing. If a single laptop fails because it didn't get its IE patch, that's not so bad as last month, when an Exchange server could have gone down after patching."

The 12 security updates will be posted around 1 p.m. EDT on Aug. 12.

Read more about Security in Computerworld's Security Topic Center.