Microsoft to patch 25 flaws, including VBScript and SMB

Microsoft on Tuesday expects to serve up 11 patches to correct 25 security vulnerabilities, the software giant announced Thursday.

Two of those 11 patches are for publicly known issues. One is to correct a flaw in VBScript, which could permit attackers to execute remote code on victim machines. The other is to remedy a denial-of-service bug in Server Message Block, disclosed in November.

Of the planned fixes, five bulletins are labeled "critical," four "important" and one "moderate," according to an advance notification.

"Overall, April's Patch Tuesday bulletin will address at least two critical vulnerabilities for every popular Microsoft platform in use today, so the impact will be widespread regardless of what operating systems companies are currently running," Don Leatham, senior director of solutions and strategy at vulnerability management firm Lumension. "This means that IT departments will have to address and patch almost every machine in their organization."

Affected are Windows 2000, XP, Vista, Server 2003, Server 2008 and Windows 7, though Windows 7, Microsoft's newest platform, is only impacted by two of the five critical bulletins.

"Similar to past Patch Tuesdays, Windows 7 has less critical updates to install than the older operating system versions, an indication that the newer version of Windows are more robust and secure out of the box," Wolfgang Kandek, CTO of vulnerability management firm Qualys, said Thursday in a blog post.

In a blog post on the Microsoft Security Response Center blog, Jerry Bryant, group manager of response communications at the company, reminded readers that Microsoft no longer will support Windows 2000 and XP Service Pack 2 after July 13.

Adobe and Oracle also are planning fixes for Tuesday.