Microsoft will deliver five security updates on Tuesday, all affecting Windows and all ranked "critical," the company's highest threat rating.
Unlike most months when Microsoft provides advance notification for upcoming updates,there are few hints of what may be coming, said Andrew Storms, director of security operations at nCircle Network Security.
"It's a foggy advance warning," said Storms. "I'm a little bit at a loss for words. There doesn't seem to be anything here that has been disclosed publicly."
That didn't stop Storms from speculating, though. "We could see another ATL update," he said, referring to the flaws in Active Template Library (ATL), a Microsoft code "library" that it and third-party developers use to create software.
Microsoft acknowledged the ATL vulnerabilities in July, when it issued two emergency updates to patch six bugs in its own software. Since then, it and several other vendors, including Adobe, have released additional patches for programs that inherited the ATL flaws.
"It wouldn't be surprising if Microsoft still had some ATL bugs to fix," said Storms, "although I think it's also likely that we'll see more third-party patches than ones from Microsoft."
All five of the security updates slated to ship next week are rated critical, and all five were tagged as affecting various versions of both the client and server editions of Windows. "I guess you could say that they're batting five for five on Windows," observed Storms. "It's also batting four for five for Vista and [Windows] Server 2008."
As Storms said, four of the five updates apply to Windows Vista -- all four of those are ranked critical -- while the same four will also impact Windows Server 2008, the newest production version of Microsoft's server software. Three of those Server 2008 updates were pegged critical, while the fourth was rated as "important," the next-lowest threat level.
Windows 2000, Windows XP and Windows Server 2003 will also receive updates Tuesday.
"We usually don't expect to see Microsoft's new OSes to be critical," noted Storms. "It's also unusual that they're all for Windows."
Andrew Clarke, Senior VP Lumension, said, "Of the five critical patches, two will require mandatory restarts causing some level of disruption within the enterprise. Both server and desktop management IT groups will be impacted this month.
“Leading the pack this month, however, is Microsoft Vista with four critical vulnerabilities. Given the significant amount of code shared between Vista and Windows 7, it is likely that some of these security bulletins could apply to Windows 7 or Server 2008 R2, but this is not addressed in the information released.
"Companies with access to the RTM builds will want to track the bulletins in the future to see if they are updated to apply to Windows 7 and Windows Release 2.”
Microsoft won't be patching the just-revealed vulnerability in its popular Internet Information Services (IIS) Web server, according to Storms.
"We couldn't expect Microsoft to patch it that fast," he said, reading the tea leaves of the advance notification to dismiss any thought that the bug in IIS 5.0, 5.1 and 6.0 will get a fix next week.
Even though Microsoft promised Tuesday that it would patch IIS at some point, other analysts had said it was very unlikely that Microsoft would have an IIS patch ready in time.
Next week's five updates follow the nine issued Aug. 11 , the two emergency updates released in late July, and the six it shipped July 14 , that month's regularly-scheduled Patch Tuesday.