Microsoft to deliver 13 security patches for 26 bugs
After a quiet January Patch Tuesday that saw only one security update, Microsoft is back with a vengeance this month.
The software giant on Tuesday plans to release 13 patches to address 26 vulnerabilities, according to an advance notification. Five of the fixes are rated "critical," seven are graded "important" and one is listed as "moderate."
Microsoft's latest operating systems, Vista and Windows 7, each are affected by only three of the five critical patches. However, one of the critical bulletins does affect all supported versions of Windows.
Multiple Office flaws are scheduled to be resolved with two patches rated important.
"We encourage customers to upgrade to the latest versions of both Windows and Office," Jerry Bryant, senior security communications manager at Microsoft, said Thursday in a blog post. "As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products."
One of the three publicly known Windows vulnerabilities is scheduled to be fixed, Bryant said. That one is a privilege-escalation flaw in the Windows kernel, disclosed last month, one day after a Google engineer posted details of the flaw to the Full Disclosure mailing list
The IE flaw "only affects versions of Windows older than Vista in their default configuration, and there is a 'Fix-It' available so customers in nondefault configurations can protect themselves," Bryant said.
Meanwhile, the SMB issue can lead to a denial-of-service that results in a system crash, but not the injection of malicious code.
Administrators should start preparing for the update, said Don Leatham, senior director of solutions and strategy for Lumension, a vulnerability management firm.
"It will be imperative to plan ahead this month on how these patches should be deployed throughout their enterprises to minimize the possibility of widespread disruption," he said.
In other news from the advance notification document, Microsoft plans to drop support for Windows XP Service Pack 2 and Windows 2000 on July 13.