Microsoft will release four bulletins next week to fix security vulnerabilities in the Windows operating system and Office applications.
Microsoft plans to fix 22
bugs across four vulnerabilities in July's Patch Update release next week.
One bulletin has a maximum
severity rating of "critical" and the remaining three are rated
"important," Microsoft said July 7 in its Patch
Tuesday advance notification
. The critical bulletin addresses
vulnerabilities that can result in remote code execution attacks against
Windows Vista SP1, Vista SP2 and Windows 7.
The critical bulletin and
two of the important bulletins address security holes in all supported versions
of the Windows operating system, including windows XP, Windows Server 2003,
Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.
The final bulletin will fix
security issues in Microsoft Visio 2003 Service Pack 3 that could be exploited
remotely to execute code. This patch will likely be the second-highest priority
for administrators to deploy, Amol Sarwate, a vulnerability labs manager at
This month's Patch Tuesday
release is expected July 12.
Even though it has only a
quarter of the bulletins that last month's update package has, July's release
is "rather disruptive," as the patches affect the operating system
and require a restart, Paul Henry, a security and forensic analyst at
Lumension, told eWEEK.
Even so, many companies will
have a relatively easier time with the updates because of the "limited
exposure" of affected software, so they won't have to install all the
patches, Sarwate said.
"Although this is a
'light' Patch Tuesday month, it is important to keep an eye out for any
non-Microsoft vendors releasing new updates," said Jason Miller, manager
of the research and development team at VMware.
Oracle is expected to issue
its scheduled quarterly Critical Patch Update July 19.
Lumension's Henry agreed
with Miller, noting the "constant stream of vulnerabilities" being
discovered in mobile devices, including the PDF flaw recently uncovered for iOS
devices and the zero-day in Hewlett-Packard's new TouchPad. Apple said it will
roll out a fix for the mobile Safari Web browser in a future update.
"The point here is that
Microsoft does not have exclusivity when it comes to issuing patches,"
Henry said. Administrators need to stay on top of the updates from all the
vendors they work with, he said.
Microsoft is also expected
to retire Office
and Windows Vista Service Pack 1 July 12, the company announced July 5.
After this Patch Tuesday, Microsoft will stop issuing security updates for the
productivity suite from 2001 and Vista SP1. Office XP was last patched in June's
while Vista SP1 will be updated this month for the last time.
Vista users can continue
getting updates by installing SP2, which was released May 2009, and mainstream
support will be available until April 2012. Office XP users can upgrade to
Microsoft Office 2010, or even to Office 2007 Service Pack 2 or Office 2003
Service Pack 3, Microsoft said. Security updates will be available for Office
2007 SP2 and Office 2003 SP3 until April 2017 and April 2014, respectively.
Microsoft generally supports
software for 10 years and issues security updates during that entire time
period, but security updates are generally available only for the first five
years. Updates during the last five years are available only to users who paid
for special support contracts.