Microsoft set to deliver a dozen patches
Redmond is slated to release seven bulletins affecting “critical” vulnerabilities, meaning they can be exploited to execute remote code, and five fixes to remedy bugs labeled “important.”
One of the “critical” patches will plug a severe but previously unknown vulnerability in Internet Explorer
“It affects every version of IE and every operating system,” Jason Miller, manager of the data and information team at Shavlik Technologies, provider of patch management software, said. “There could be exploits in the wild.”
The patch release also appears to include a fix for a zero-day Excel hole, disclosed Jan. 15, Miller told SCMagazineUS.com today. Microsoft had warned Windows and Mac users that cyberattackers are remotely exploiting the flaw in targeted attacks.
But there is no way to be sure the fix is coming because the advance notification bulletin only states the affected software, not the particular flaw being addressed.
Meanwhile, the “important” patches will address a number of server-side issues, including bugs in the Active Directory on Windows Server 2003 and Microsoft Internet Information Services on Windows 2000, XP and Vista.
Vista, Microsoft's newest operating system version, is listed as vulnerable in five of the 12 bulletins.
Mark Shavlik, founder and chief executive officer of Shavlik Technologies, told SCMagazineUS.com today that Tuesday will provide the climax to a busy patching period. Just this week, administrators were forced to grapple with updates to Adobe Reader, Apple QuickTime, Sun Java and Skype.
“It's a busy two-week run,” Shavlik said. “It had been a little quiet with the holiday.”
Tuesday's round of fixes from Microsoft will match last February's delivery of 12 patches, which remains the highest number released since the summer of 2006. Last August included nine bulletins.