Patch Tuesday preview: What Microsoft fixes today is anyone's guess

One sure bet: There'll be no fix for a Word bug exploited for two months

Microsoft Corp.'s emergency patch a week ago has thrown off researchers who track the company's security updates, leaving them with little to go on when predicting what today's updates will address.

Last week, Microsoft said it would release five security updates today, four affecting Windows, one dealing with Microsoft Content Management Server.

"I'm just not sure at this point what they'll fix," said Minoo Hamilton, senior security researcher with patch management vendor nCircle Network Security Inc. "The out-of-band [ANI vulnerability] patch was obviously specific to events. And for last month, when they skipped the month, we still don't know if they were just holding some or sitting on them or didn't have anything."

Amol Sarwate, the manager of rival Qualys Inc.'s vulnerability lab, would only hesitate a general guess. "I'm assuming that the four vulnerabilities in Windows will be core operating system vulnerabilities. But will they affect Vista? And if so, will the vulnerability be in code which was reused [from earlier Windows], like the ANI vulnerability? Those are the two important questions."

Sarwate and Hamilton felt they were on firmer ground when discussing what wouldn't be in today's updates. "What they did not call out was a fix for the vulnerability in Word," said Sarwate.

Hamilton also noticed the absence of an Office update, which in the past Microsoft has called out separately from Windows fixes in its pre-patch announcements. "It seems like there's a vulnerability in Office every single month, so I'm not sure what happened here."

Microsoft acknowledged a bug in Word 2000 and Word 2002 almost two months ago, when it also said that attackers had already turned exploits loose.

Typically, Microsoft's once-a-month security updates include patches for a mix of vulnerabilities; some may have already been disclosed, a larger number are for bugs that have been reported privately to the software developer. Of the known flaws in the company's Windows operating system -- as posted by eEye Digital Security Inc.'s Zero-Day Tracker site and the SANS Institute's missing patches listing -- none rank critical. Microsoft said last week that at least one of the updates will be given just such a critical rating today.

The update for Microsoft Content Management Server, a discontinued Web filtering server that's been absorbed into the new Microsoft Office SharePoint Server 2007, will also be graded critical, Microsoft has said. However, Danish bug tracker Secunia has no outstanding vulnerabilities listed for the content server software, making it likely that the flaw was reported secretly to Microsoft's security team.

Assuming Microsoft unveils the five expected updates, the first third of 2007 will have broken last year's pace in both the number of security bulletins released and the number of individual flaws fixed.

Today's updates will be available for manual download from the Microsoft Web site at around 1 p.m. EDT.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon