In a preview of the patch release scheduled for Dec. 12, Microsoft said it would release five bulletins targeting vulnerabilities in its Windows operating system, at least one of which will address a flaw ranked by the company as critical, its most severe security rating. The sixth bulletin released by the company will attempt to close a critical hole in its Visual Studio development package.
Microsoft did not provide further details regarding the nature of the bulletins or how many individual patches each release will involve, but it could be that the Visual Studio fix will aim to solve a vulnerability identified in the software by security researchers during the final week of October.
The Redmond, Wash., software giant has offered few additional details about a flaw it said it was investigating that involved a problem with the ActiveX control in Visual Studio 2005 on Windows. Researchers have published proof-of-concept code meant to exploit the glitch, and Microsoft said it had received word of limited attacks using the reported vulnerability.
The December Patch Tuesday installment does not appear to include a fix for an unpatched vulnerability in its Word software program that is being used in targeted, zero-day attacks. On Dec. 5, the company issued a security advisory that said the flaw can be exploited if a user simply opens a rigged Word document.
Microsoft said it would also ship four high-priority nonsecurity Windows updates via its Windows Update and Software Update Services automated patch delivery systems as part of the release, as well as an updated version of its Windows Malicious Software Removal Tool. The malware removal kit will be distributed on Microsofts Windows Update, Microsoft Update, Windows Server Update Services and Download Center resources, but not via its Software Update Service.
In addition, the company plans to distribute 10 other high-priority nonsecurity updates over its Microsoft Update and Windows Server Update Services.
In November, Microsoft released a critical cumulative update for its Internet Explorer browser to fix a flaw that had been being used in targeted zero-day attacks since early October, along with five other security bulletins, four of which were meant to address critical issues.
Microsoft isnt the only software maker being forced to issue sizeable security bulletins in recent weeks. In late November Apple Computer shipped a monster security update to correct a total of 22 vulnerabilities in its Mac OS X operating system.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.