Microsoft slates critical Windows, Office, IE patches next week, including 'head-scratcher'
Reveals Patch Tuesday's agenda, plans to fix 11 flaws with six security updates
Computerworld - Microsoft today said it would issue six security updates next week, four of them critical, to patch 11 bugs in Windows, Internet Explorer, Office, SQL Server and its virtual private networking platform.
One of the updates, labeled Bulletin 4, looks like the one that should top the to-do list next Tuesday when Microsoft ships its monthly security updates, said a security expert.
The quartet marked "critical," Microsoft's most dire threat ranking in its four-step scoring system, included Windows, Internet Explorer and Office updates, while the remaining pair were tagged "important," the second-level rating. Five of the six -- including one of those labeled as important -- will patch bugs that Microsoft said could be exploited by attackers to compromise PCs and plant malware on victimized machines.
"[Bulletin 4] is a head-scratcher," said Andrew Storms, director of security operations at nCircle Security. "Usually a bulletin covers developer tools or servers or Office, but whammo, here's one with everything."
Bulletin 4, according to Microsoft's advance notification advisory for April's Patch Tuesday, will affect Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime.
That's a lot of products, Storms said.
"When administrators get this patch, the amount of due diligence necessary will be a lot more than the usual update," Storms said, talking about the internal testing enterprises usually conduct on Microsoft's fixes before deploying them to their machines.
While other researchers didn't rank Bulletin 4 as the most important update -- instead they highlighted Bulletin 1, the bi-monthly update for IE -- they did make note of the former.
"Bulletin 4 will be challenging as it addresses a wide variety of applications including server side software," said Wolfgang Kandek, CTO at Qualys, in an email today.
Marcus Carey, a security researcher at Rapid7, called Bulletin 4 "interesting" and, like Storms and Kandek, cited the update's diverse targets as the reason.
Although Microsoft's bare-bones advanced notification did not specify the software module(s) that Bulletin 4 will patch, Storms speculated that it would be in the Microsoft Data Access Components (MDAC), a set of components that lets Windows access databases such as Microsoft's own SQL Server.
Microsoft last patched MDAC vulnerabilities in January 2011. The bugs fixed at that time, also pegged as critical, were in the MDAC ActiveX control that allows users to access databases from within IE.
Another component, dubbed "Dedicated Administrator Connection" (DAC), could also be at the root of the problem, since it also is associated with SQL Server. The DAC lets administrators access a running instance of SQL Server Database Engine for troubleshooting when the server is unresponsive.
Kandek called out the IE update as his top priority next week. The update, marked critical for all editions -- from the ancient IE6 to the one-year-old IE9 -- on Windows XP, Vista and Windows 7, will probably include fixes for several flaws if Microsoft adheres to its usual practice of combining multiple patches in its six browser updates each year.
Other updates will address vulnerabilities in all versions of Windows, both for desktops and servers, in Office 2007, in the still-supported Microsoft Works 9, and in Forefront Unified Access Gateway 2010, the company's VPN (virtual private networking) platform that lets enterprise workers connect with corporate applications when outside the office.
Works, which Microsoft dumped from its active product list more than two years ago, is guaranteed support until Oct. 9, 2012.
Microsoft will release the six updates at approximately 1 p.m. Eastern time on April 10.
Adobe has also slated updates for its Reader and Acrobat PDF software that same day. The company will assign on those updates -- for Reader 9.5 and earlier, and Acrobat 9.5 and earlier -- a priority rating of "1," Adobe's highest. In this case, an Adobe spokeswoman confirmed Thursday, it does not mean that hackers are already exploiting one or more of the to-be-patched bugs, which is one criteria for the top ranking. Instead, she said, the "1" rating indicates Adobe believes those flaws "have a higher risk of being targeted ... once the update is released."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+, or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts