Microsoft to deliver five critical Windows patches next week

Computerworld - Microsoft today said it will deliver five security updates on Tuesday, all affecting Windows and all ranked "critical," the company's highest threat rating.

Unlike some months when Microsoft provides its usual advance notification for upcoming updates, this time there weren't any hints of what may be coming, said Andrew Storms, director of security operations at nCircle Network Security.

"It's a foggy advance warning," said Storms. "I'm a little bit at a loss for words. There doesn't seem to be anything here that has been disclosed publicly."

That didn't stop Storms from speculating, though. "We could see another ATL update," he said, referring to the flaws in Active Template Library (ATL), a Microsoft code "library" that it and third-party developers use to create software.

Microsoft acknowledged the ATL vulnerabilities in July, when it issued two emergency updates to patch six bugs in its own software. Since then, it and several other vendors, including Adobe, have released additional patches for programs that inherited the ATL flaws.

"It wouldn't be surprising if Microsoft still had some ATL bugs to fix," said Storms, "although I think it's also likely that we'll see more third-party patches than ones from Microsoft."

All five of the security updates slated to ship next week are rated critical, and all five were tagged as affecting various versions of both the client and server editions of Windows. "I guess you could say that they're batting five for five on Windows," observed Storms. "It's also batting four for five for Vista and [Windows] Server 2008."

As Storms said, four of the five updates apply to Windows Vista -- all four of those are ranked critical -- while the same four will also impact Windows Server 2008, the newest production version of Microsoft's server software. Three of those Server 2008 updates were pegged critical, while the fourth was rated as "important," the next-lowest threat level.

Windows 2000, Windows XP and Windows Server 2003 will also receive updates Tuesday.

"We usually don't expect to see Microsoft's new OSes to be critical," noted Storms. "It's also unusual that they're all for Windows. So this is out of the ordinary."

Microsoft won't be patching the just-revealed vulnerability in its popular Internet Information Services (IIS) Web server, according to Storms. "We couldn't expect Microsoft to patch it that fast," he said, reading the tea leaves of the advance notification to dismiss any thought that the bug in IIS 5.0, 5.1 and 6.0 will get a fix next week.

Even though Microsoft promised Tuesday that it would patch IIS at some point, other analysts had said it was very unlikely that Microsoft would have an IIS patch ready in time.

Next week's five updates follow the nine issued Aug. 11, the two emergency updates released in late July, and the six it shipped July 14, that month's regularly-scheduled Patch Tuesday.

Microsoft will release the five updates at approximately 1 p.m. ET on Sept 8.