News

Nine Security Patches To Come on Tuesday

• By Jabulani Leffall
• August 07, 2009

Expect nine patches in Microsoft's August security update, according to an advanced notification from Redmond, which suggested that five "critical" and four "important" bulletins will be seen on Tuesday.

The potential heavy hit comes after IT pros reel from two off-cycle Microsoft security bulletins released just last week. From a patching perspective, it's as if July slid into August without a break.

The usual suspects are expected to appear in the August slate, including remote code execution (RCE), elevation-of-privilege and denial-of-service risk considerations. All the fixes will be for Windows and related components.

What's unique for this month will be a critical cluster fix involving Microsoft Office, Visual Studio, Internet Security and Acceleration (ISA) Server, and BizTalk Server. This particular security bulletin likely will raise eyebrows among security pros, since Visual Studio and ISA Server were both patched in July.

Critical Patches
Microsoft provided a preview of the five critical fixes expected in its monthly security update.

The first critical fix will be for Office Web Components in Microsoft Office 2000 and 2003, as well as in Microsoft Office Small Business Accounting 2006. However, this fix also relates to Visual Studio .NET 2003, ISA Server 2004 and 2006, plus BizTalk Server 2002. The patch is designed to thwart RCE exploits in all these different products.

The second critical fix will address RCE exploits in supported Windows OS versions ranging from Windows 2000 to Windows Vista, as well as Windows Server 2003 and 2008. It also will plug holes in the Windows Client for Mac, which is a remote desktop function allowing users to connect to Windows-based workstations on a Mac.

Critical fix No. 3 only affects Windows Server 2000 and Windows Server 2003. The fourth critical patch affects all supported Windows OS versions.

The fifth and final critical patch will be for Outlook Express and Windows Media Player on every supported Windows OS version.

Important Patches
Microsoft also provided a peek at some of the important patches to expect next Tuesday.

Important fix No. 1 will have elevation-of-privilege considerations. Left unpatched, hackers may be able to use this vulnerability to promote their user status, or that of their automated proxies, to super-user status on a given system. XP, Vista and Windows Server 2003 and 2008 are all scheduled to get this patch.

The second important bulletin also will be an elevation-of-privilege patch. It will affect every Windows OS except for Windows Server 2008.

The third important item will deal with Redmond's .NET Framework for Vista and Windows Server 2008. It's designed to stave off denial-of-service attacks. Left unpatched, the exploit could leave administrators and Web developers locked out of the system.

The fourth and final fix in the important roster of security bulletins will affect all supported Windows OSes. It's designed to hold RCE exploits at bay in an as-yet-unspecified Windows component.

IT pros can expect to be kept busy with this upcoming August security update. Only the .NET Framework patch will not require a restart, according to Microsoft.

Meanwhile, IT pros can get a jump-start on Redmond's nonsecurity updates coming this month through Windows Update, Microsoft Update and Windows Server Update Services. A good place to start is this knowledgebase article.