Microsoft plans puny patch slate next week

Of the two updates, one is a fix for XML Core Services throughout Windows

Microsoft Corp. today said it will release only two security updates on Tuesday -- down from the 11 issued in October's mammoth Patch Tuesday -- to fix bugs in Windows and Office.

One of the two will be rated "critical," Microsoft's highest threat ranking, while the other will be tagged as "important," the next-lowest rating. Both of the updates will address vulnerabilities that can be used to execute remote code, a description that generally means hackers could leverage the bugs in order to plant their own malicious code on vulnerable PCs, often by convincing users to open a file attachment or tricking them into visiting a rogue Web site.

The most serious of the pair targets one or more flaws in Microsoft XML Core Services, and will require patching all still-supported editions of Windows -- including Windows 2000, XP, Vista, Server 2003 and Server 2008 -- as well as Office 2003, Office 2007, SharePoint Server 2007 and Groove Server 2007.

XML Core Services has been patched twice in the past, most recently in August 2007 as part of a 14-fix package that ranked among the biggest that year. XML Core Services is the component that provides interoperability between several scripting languages, including JScript, Visual Studio and XML applications, and lets developers use those languages to access XML documents.

Another flaw in the service was addressed in November 2006, when Microsoft patched a bug that had been actively exploited before the fix was issued.

Today's warning said that XML Core Services 3.0, 4.0, 5.0 and 6.0 would need to be patched on Tuesday.

The second update, ranked important, will patch all versions of Windows to plug one or more unspecified holes.

As it did last month, Microsoft will also predict whether criminals will be likely to come up with attack code in the next 30 days. In October, when it debuted the "Exploitability Index," Microsoft labeled eight of the month's 20 total vulnerabilities with the "Consistent exploit code likely" tag, seven with the "Inconsistent exploit code likely" phrase, and four with "Functioning exploit code unlikely."

The company has already deployed one security update since the last Patch Tuesday. On Oct. 23, it released an emergency fix for a critical bug in the Windows Server service, saying that it had found attacks exploiting the vulnerability. Later, Joe Stewart, a noted security researcher at SecureWorks Inc., said his investigation had uncovered a small number of infected PCs -- fewer than 200 -- that triggered Microsoft's decision to patch out-of-cycle.

Microsoft will release November's two security updates at approximately 1 p.m. EST on Tuesday.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon