[ISN] Microsoft Plans Two Patches Next Week

InfoSec News isn at c4i.org
Fri Mar 10 01:18:27 EST 2006


By Gregg Keizer 
Mar 9, 2006

Microsoft on Thursday said it would release just two security patches 
next week, five fewer than last month. 

A fix for Microsoft Office, the Redmond, Wash.-based company's
business productivity suite, is on the calendar, as is a separate
patch for Windows. The former will be labeled "critical," Microsoft's
most serious warning, while the latter will be tagged as "important."

Microsoft assigns "critical" to security bulletins when it believes an
exploit of the vulnerability could be used to create a worm able to
spread without any user interaction [1].

As is its practice, Microsoft gave no additional details. Its advance
notifications [2] are meant only to "help customers plan for the
deployment of these security updates more effectively," the company
said in the alert.

Although the warning didn't offer clues on the problems to be patched,
eEye Digital Security [3] knows about one unfixed critical
vulnerability in Windows, while Danish vulnerability tracker Secunia
lists several unpatched Office problems. Because the latter, however,
hark back to 2003 and 2004, it's likely the Office issue has either
not yet been disclosed or has been kept quiet by its discoverer(s).

A single non-security, high-priority update will also be released via
Microsoft Update, said the alert, and the Windows Malicious Software
Removal Tool will, as usual, be refreshed.

Last month, Microsoft unveiled seven bulletins [4] for Windows,
Internet Explorer, Media Player, and PowerPoint. Two of the seven were
deemed critical.

March's security bulletins, patches, and updates will be issued
Tuesday, March 14.

[1] http://www.microsoft.com/technet/security/bulletin/rating.mspx
[2] http://www.microsoft.com/technet/security/bulletin/advance.mspx
[3] http://www.eeye.com/html/research/upcoming/20051011.html
[4] http://www.techweb.com/wire/security/180201607

More information about the ISN mailing list