Microsoft will release nine security updates on Patch Tuesday next week, patching flaws in Windows, Office, Internet Explorer and Virtual PC.
Of the nine bulletins, six will be labelled "critical," Microsoft's highest rating, with the remaining three ranked "important." The vulnerabilities have been pegged as remote code executable, a sure sign that the bugs are very dangerous, and if exploited, could easily allow a PC to be hijacked by hackers.
Microsoft Windows, including Vista, will be the focus of four of the nine updates, with one fix pegged critical. Other critical patches will be provided for Microsoft Office, Excel, Visual Basic 6.0 and IE. Of the bulletins labelled important, fixes will be issued for Windows Vista, Windows Media Player, Virtual PC and Virtual Server and IE.
Vista is especially hard-pressed in the advance notification, which Microsoft posted to its security site yesterday. Five of the nine updates patch Vista or a component of the new operating system, such as IE 7 or Media Player 11.
Four non-security updates that Microsoft considers "high priority" will also post next week via Windows Update, Microsoft Update and Windows Server Update Services. The note did not hint, however, whether the two Vista hot fix packs now available for manual download will be among that group; Microsoft has promised that the performance and reliability hot fixes will offered up through Windows Update, but has refused to say when.
As is its custom, Microsoft gave only partial details of the upcoming updates, making it difficult at best to predict the vulnerabilities being patched. Clues, however, exist.
XML Core Services has been plugged in the past, most recently in November 2006 when Microsoft patched a bug in the service that was already being exploited in the wild when the fix was issued.
Although Microsoft had patched the service the month before, it missed at least one bug, which was almost immediately put into play by attackers who duped users to malicious web sites, then exploited the flaw to compromise their computers. It's possible that next week's fix is for yet another vulnerability that Microsoft security team missed when reviewing the code twice last year.
Another of the expected bulletins will fix a flaw in Excel. The affected software, which includes Office 2000, in which the bug is ranked critical, as well as Office XP, Office 2003 and Excel Viewer 2003, points toward an Office file format vulnerability similar to several others of the past 18 months, and as recently as last month.
Assuming Microsoft releases all the updates - occasionally, it drops one at the last minute - users will have faced 50 bulletins through the first eight months of 2007, one fewer than during the same stretch last year.