Microsoft to Patch Dirty Dozen in February Update
The software giant, based in Redmond, Wash., indicated that it will deliver its largest array of security updates in a single month since it addressed 12 individual product flaws in August 2006.
Microsoft plans to patch at least five issues in its Windows operating systems that have been ranked critical, its most severe vulnerability rating, and to address an additional pair of critical flaws in its Office productivity suite.
The companys Patch Tuesday preview on its security Web site does not offer specific details of the problems it plans to fix.
Among the factors contributing to the unusually high volume of February patches could be the discovery of four vulnerabilities it had planned to address in its January 2007 security bulletins. Microsoft surprised security researchers by deciding not to fix those vulnerabilities in the January update, including a weakness in its Visual Studio package that the company had originally committed to patching.
It was unclear whether one of the critical Office security flaws that Microsoft plans to issue patches for Feb. 13 is a vulnerability being used in a wide number of targeted zero-day attacks. With researchers having recently identified at least five known unpatched Office file format flaws, it does appear that some of those problems may not be fixed by the upcoming shipment of bulletins.
Another candidate for patching could be a hole in the Excel spreadsheet program that is currently being exploited through so-called zero-day attacks, although the issue was only reported by researchers at anti-virus specialist Symantec on Feb. 7.
In addition to the Windows and Office updates, Microsoft said it plans to release updates for a critical issue found in a wide number of its own security programs, including its Windows Live OneCare, Microsoft Antigen, Windows Defender, Forefront Security for Exchange Server and Forefront Security for SharePoint applications.
A bulletin meant to fix a critical problem in the Microsoft Data Access Components technology is also slated for delivery, bringing the total number of critical vulnerabilities expected to be addressed in the February Patch Tuesday release to nine.
Microsoft reported that it would pass along patches addressing a problem in Windows and Visual Studio that is rated "important," along with another important flaw present in Windows and Office. The final expected update will target an important vulnerability in Microsofts Step-by-Step Interactive Training package.
The software maker will also issue two product bulletins via its Windows Update and Software Update Services and eight releases via its Microsoft Update and Windows Server Update Services that are unrelated to security.