Microsoft plans six patches next week, ties November record

Computerworld - Microsoft today said it will deliver six security updates Tuesday, less than half the number it issued last month, to fix flaws in Windows and Office.

The updates will patch a total of 15 separate vulnerabilities, Microsoft said in a follow-up entry to its security response center's blog.

"Six is the lucky number this month," said Andrew Storms, director of security operations at nCircle Network Security. "Really, anything less than 13 is a lucky number."

Last month, Microsoft released 13 updates that patched 34 vulnerabilities, both records since the company started shipping monthly updates more than six years ago.

The six slated for next week, however, tie the record for the most issued in November, traditionally a light month for Microsoft updates. In November 2006, the company also delivered a half-dozen security updates. In 2007 and 2008, however, it shipped just two each year in November, while it released only one in 2005.

Of the half-dozen updates, Microsoft tagged three as "critical," the highest severity rating in its four-step scoring system, while the remaining trio were labeled "important," the next-lowest ranking. Four of the six affect one or more editions of Windows or Windows Server; the other two will patch Office, specifically Word and Excel.

Because there are no outstanding Microsoft-generated security advisories, Storms was at a loss about what next week's updates might fix. "But Bulletin 1 looks interesting," he said, noting that the critical update would patch only Vista and Server 2008. "Historically, you would expect a Vista patch to also affect XP, and maybe even Windows 7," Storms explained.

None of Tuesday's updates will affect Windows 7, Microsoft's just-released operating system, or the also-new Windows Server 2008 R2, the companion server software. Last month, Microsoft released the first patches for Windows 7's final code.

"There aren't any Windows 7 patches at all," Storms said. "So, so far so good." Windows 7 will be worth watching, however. "It will be more interesting down the road to see if Microsoft disclosed bugs they found in Windows 7, and fixed during development, but are just now going back and fixing in the older OSes."

Another update to watch carefully next week is the one Microsoft named "Bulletin 3" in its advance notification, the monthly forewarning that includes only the barest of details.

That update, also rated critical, affects everything version from the aged Windows 2000 to Vista and Server 2008. "I think No. 3 is the big one to watch next week," said Storms.

Another researcher agreed. "Our sources unanimously suggest that Bulletin 3 will be the issue that needs to be addressed first this month," echoed Sheldon Malm, senior director of security strategy at Rapid7, in an e-mail. "[Users] should take inventory of where Windows versions are within their environments so they can plan testing and roll-out of the patch for Bulletin 3 as quickly as possible."