Microsoft Corp. Thursday said it will release nine security updates next Tuesday, half again as many as last month, targeting flaws in Windows, Office, Internet Explorer (IE) and Virtual PC.
Of the nine bulletins expected Aug. 14, six will be labeled “critical,” Microsoft’s highest rating, with the remaining three ranked “important.” Vulnerabilities slated to be fixed by eight of the nine updates, however, have been pegged as remote code executable, a sure sign that the bugs are very dangerous, and if exploited, could easily allow a PC to be hijacked by hackers.
Microsoft Windows, including Vista, will be the focus of four of the nine updates, with one of those Vista fixes pegged critical. Other critical patches will be provided for Microsoft Office in general, Excel in particular, Visual Basic 6.0 and IE, the company’s market-leading browser. Of the bulletins labeled important, fixes will be issued for Windows Vista, Windows Media Player, Virtual PC and Virtual Server and IE.
Vista is especially hard-pressed in the advance notification, which Microsoft posted to its security site early today. Five of the nine, or just over half, of the updates patch Vista or a component of the new operating system, such as IE 7 or Media Player 11.
Four nonsecurity updates that Microsoft considers “high priority” will also post next week via Windows Update, Microsoft Update and Windows Server Update Services. The note did not hint, however, whether the two Vista hot fix packs now available for manual download will be among that group; Microsoft has promised that the performance and reliability hot fixes will offered up through Windows Update, but has refused to say when.
As is its custom, Microsoft gave only partial details of the upcoming updates, making it difficult at best to predict the vulnerabilities being patched. Clues, however, exist.
One of the updates is to patch Microsoft XML Core Services, a service that lets developers use scripting languages such as JavaScript and Visual Basic to access XML documents. The bug (or bugs — today’s advance warning didn’t spell out the number) in XML Core Services 5.0 and 6.0 exists in both Office and Windows, said Microsoft. In both Vista and Office 2007, versions of long-standing product lines that Microsoft has touted as their most secure ever, the XML Core Services flaw is rated critical.
XML Core Services has been plugged in the past, most recently in November 2006 when Microsoft patched a bug in the service that was already being exploited in the wild when the fix was issued.
Although Microsoft had patched the service the month before, it missed at least one bug, which was almost immediately put into play by attackers who duped users to malicious Web sites, then exploited the flaw to compromise their computers. It’s possible that next week’s fix is for yet another vulnerability that Microsoft security team missed when reviewing the code twice last year.
Another of the expected bulletins will fix a flaw in Excel. The affected software, which includes Office 2000, in which the bug is ranked critical, as well as Office XP, Office 2003 and Excel Viewer 2003, points toward an Office file format vulnerability similar to several others of the past 18 months, and as recently as July.
Assuming Microsoft releases all the updates — occasionally, it drops one at the last minute — users will have faced 50 bulletins through the first eight months of 2007, one fewer than during the same stretch last year.
If its past practice means anything, Microsoft will post next week’s updates on its site between 1 p.m. and 3 p.m. EDT.