Microsoft plans to ship 10 security bulletins to cover a range of potentially serious vulnerabilities in its Windows operating system.
After a one-month patching respite, next Tuesdays patch barrage from Microsoft Corp. will cover seven holes in Windows, some rated “critical,” the companys highest severity rating.
A “critical” rating is used to rate a vulnerability that can be exploited to allow the propagation of an Internet worm without any user action.
The other three bulletins will address vulnerabilities in Microsoft Windows and Microsoft Services for Unix, Microsoft Exchange, Microsoft ISA (Internet Security and Acceleration) Server and Small Business Server. These flaws are rated “moderate” and “important.”
The company is withholding details until the bulletins are released on June 14, but security researchers are expecting a cumulative Internet Explorer patch to address known—and unpatched—code execution flaws in the browser.
Microsoft typically includes IE patches under the Windows umbrella in its Security Bulletin Advance Notice mechanism.
Private research outfit eEye Digital Security has already published basic information on several “high severity” IE and Outlook bugs and warned that malicious hackers could run a successful exploit from anywhere on the Internet.
“These are client-side vulnerabilities that could allow attacks via a Web browser or the Outlook client. The risk of a zero-day attack is quite high,” Maiffret said in a recent interview with Ziff Davis Internet News. The flaw was detected in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction, he explained.
Although it was not mentioned in the advance notice, Microsoft is also scheduled to rerelease a “critical” bulletin because of patch quality problems. The bulletin, MS05-019, first released in April, contains patches that have caused major connectivity problems for network administrators.
The connectivity errors range from the inability of Exchange servers to talk to their domain controllers, to failure of domain-controller replication across WAN links, to an inability to connect to terminal servers or to file-share access.
The company will also update its Windows Malicious Software Removal Tool to add detection for new worms and viruses.