Microsoft plans to will deliver six security updates tomorrow, less than half the number it issued last month, to fix flaws in Windows and Office, but still a significant challenge to IT
The updates will patch a total of 15 separate vulnerabilities, Microsoft said in a follow up entry to its security response centre's blog.
"Six is the lucky number this month," said Andrew Storms, director of security operations at nCircle Network Security. "Really, anything less than 13 is a lucky number."
Last month, Microsoft released 13 updates that patched 34 vulnerabilities, both records since the company started shipping monthly updates more than six years ago.
The six slated for next week, however, tie the record for the most issued in November, traditionally a light month for Microsoft updates. In November 2006, the company also delivered a half dozen security updates. In 2007 and 2008, however, it shipped just two each year in November, while it released only one in 2005.
Of the half dozen updates, Microsoft tagged three as "critical," the highest severity rating in its four step scoring system, while the remaining trio were labeled "important," the next lowest ranking. Four of the six affect one or more editions of Windows or Windows Server, the other two will patch Office, specifically Word and Excel.
Because there are no outstanding Microsoft generated security advisories, Storms was at a loss about what next week's updates might fix. "But Bulletin 1 looks interesting," he said, noting that the critical update would patch only Vista and Server 2008. "Historically, you would expect a Vista patch to also affect XP, and maybe even Windows 7," Storms explained.
None of Tuesday's updates will affect Windows 7, Microsoft's just released operating system, or the new Windows Server 2008 R2 companion server software. Last month, Microsoft released the first patches for Windows 7's final code.
"There aren't any Windows 7 patches at all," Storms said. "So, so far so good." Windows 7 will be worth watching, however. "It will be more interesting down the road to see if Microsoft disclosed bugs they found in Windows 7, and fixed during development, but are just now going back and fixing in the older OSes."
Another update to watch carefully next week is the one Microsoft named "Bulletin 3" in its advance notification, the monthly forewarning that includes only the barest of details.
That update, also rated critical, affects everything version from the aged Windows 2000 to Vista and Server 2008. "I think No. 3 is the big one to watch next week," said Storms.
Another researcher agreed. "Our sources unanimously suggest that Bulletin 3 will be the issue that needs to be addressed first this month," echoed Sheldon Malm, senior director of security strategy at Rapid7, in an email. "[Users] should take inventory of where Windows versions are within their environments so they can plan testing and rollout of the patch for Bulletin 3 as quickly as possible."
The two Office updates, both important, will address issues in Word and Excel. The first update will impact Word 2002 and Word 2003 on Windows, and Word 2004 and Word 2008 on the Mac. The Excel update, on the other hand, will patch one or more problems in Excel 2002, Excel 2003 and Excel 2007 on the PC, Excel 2004 and Excel 2008 on the Mac.
"The Office updates are interesting, but from what Microsoft gave us today, I think they'll be the kind of file format parsing bugs we've all come to know and love," Storms said today.
Vulnerabilities in Office file formats have been a treasure trove for hackers, who have successfully exploited them for years. Earlier this week, Microsoft acknowledged that the bulk of all attacks targeting Office in the first half of 2009 were leveraging a single vulnerability, which Microsoft patched in June 2006.
This is the second month in a row that Microsoft has disclosed not only the number of updates it will ship next week, but also the number of flaws those patches will fix. And that's a good thing, said Storms. "That's great," he said. "It aids the planning process, because six bulletins could be six vulnerabilities or 20."