Microsoft Plans Fixes for 22 Bugs in July Patch Tuesday Update

Microsoft will release four bulletins next week to fix security vulnerabilities in the Windows operating system and Office applications.

Microsoft plans to fix 22 bugs across four vulnerabilities in July's Patch Update release next week.

One bulletin has a maximum severity rating of "critical" and the remaining three are rated "important," Microsoft said July 7 in its Patch Tuesday advance notification. The critical bulletin addresses vulnerabilities that can result in remote code execution attacks against Windows Vista SP1, Vista SP2 and Windows 7.

The critical bulletin and two of the important bulletins address security holes in all supported versions of the Windows operating system, including windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

The final bulletin will fix security issues in Microsoft Visio 2003 Service Pack 3 that could be exploited remotely to execute code. This patch will likely be the second-highest priority for administrators to deploy, Amol Sarwate, a vulnerability labs manager at Qualys, said.

This month's Patch Tuesday release is expected July 12.

Even though it has only a quarter of the bulletins that last month's update package has, July's release is "rather disruptive," as the patches affect the operating system and require a restart, Paul Henry, a security and forensic analyst at Lumension, told eWEEK.

Even so, many companies will have a relatively easier time with the updates because of the "limited exposure" of affected software, so they won't have to install all the patches, Sarwate said.

"Although this is a 'light' Patch Tuesday month, it is important to keep an eye out for any non-Microsoft vendors releasing new updates," said Jason Miller, manager of the research and development team at VMware.

Oracle is expected to issue its scheduled quarterly Critical Patch Update July 19.

Lumension's Henry agreed with Miller, noting the "constant stream of vulnerabilities" being discovered in mobile devices, including the PDF flaw recently uncovered for iOS devices and the zero-day in Hewlett-Packard's new TouchPad. Apple said it will roll out a fix for the mobile Safari Web browser in a future update.

"The point here is that Microsoft does not have exclusivity when it comes to issuing patches," Henry said. Administrators need to stay on top of the updates from all the vendors they work with, he said.

Microsoft is also expected to retire Office XP and Windows Vista Service Pack 1 July 12, the company announced July 5. After this Patch Tuesday, Microsoft will stop issuing security updates for the productivity suite from 2001 and Vista SP1. Office XP was last patched in June's update while Vista SP1 will be updated this month for the last time.

Vista users can continue getting updates by installing SP2, which was released May 2009, and mainstream support will be available until April 2012. Office XP users can upgrade to Microsoft Office 2010, or even to Office 2007 Service Pack 2 or Office 2003 Service Pack 3, Microsoft said. Security updates will be available for Office 2007 SP2 and Office 2003 SP3 until April 2017 and April 2014, respectively.

Microsoft generally supports software for 10 years and issues security updates during that entire time period, but security updates are generally available only for the first five years. Updates during the last five years are available only to users who paid for special support contracts.