Microsoft to patch 22 bugs, 3 zero-days next week

Gets around to fixing IE flaw that hackers are already exploiting

1 2 Page 2
Page 2 of 2

Of the dozen updates expected next week, three will be labeled "critical," Microsoft's highest threat ranking, while the remaining nine will be marked "important." Microsoft typically assigns a critical rating to vulnerabilities that can be exploited with little or no action on the part of a user.

This year's February patch batch is slightly smaller than 2010's, when Microsoft shipped 13 security updates that quashed 25 bugs

The majority of the updates -- 10 of the 12 -- affect Windows, with one of those addressing the IIS 7.0 and IIS 7.5 denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2. The other two will fix one or more flaws in IE and Visio.

Storms said that it's a "safe bet" to assume the Visio update will tackle a file format bug.

It was tough to glean any clues about what specific components Microsoft will patch next week from the advance notification's limited information, added Storms. "With 12 bulletins, it's pretty difficult to guess at what the others will include," he said.

"It's going to be a big day for everybody," Storms said. "It'll be interesting at the end of the day what applications are involved."

Even so, he speculated that one of the updates -- marked today only as "Bulletin 4" -- may address a kernel bug in Windows Vista and Windows 7, as well as Windows Server 2008 and 2008 R2. According to Microsoft, Bulletin 4 will not affect the older Windows XP and Windows Server 2003, the reason Storms pegged the kernel, which Microsoft revamped in Vista and later editions, as a potential suspect.

Last month, Microsoft patched a bug in Vista only that was attributed to the operating system's Backup Manager. That update was the seventh Microsoft has released to repair "DLL load hijacking" or "binary planting" vulnerabilities that researchers disclosed last August.

Microsoft will release the 12 updates at approximately 1 p.m. ET on Feb. 8.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon