Microsoft Corp.s security patch train will carry a light load this month.
Next Tuesday, the Redmond, Wash.-based software maker plans to issue a solitary bulletin to cover a “critical” flaw in the Windows operating system.
As is customary, the company is not releasing details on the vulnerability until Nov. 8.
The fact that the bulletin is rated “critical” suggests it covers a flaw that can be exploited to spread of an Internet worm without user action.
The update will be detectable using the MBSA (Microsoft Baseline Security Analyzer) and will accompany the monthly refresh of the malicious software removal tool, a free utility that lets Windows users zap known virus variants.
The news that only one patch is on tap means that a long list of known Windows vulnerabilities, some rated “high risk,” will remain unpatched.
eEye Digital Security, a security research outfit that regularly reports flaws to Microsoft, lists eight Windows flaws that have not yet been fixed.
Three of the eight are more than three months overdue. They affect users of two of the most widely deployed Microsoft products–the Internet Explorer browser and the Outlook e-mail program.
The company has also been tardy in addressing a publicly reported bug in the Microsoft Jet Database Engine.
That flaw, which was discovered by HexView Security Research and Assessment, affects fully patched systems with Microsoft Access 2003 and Microsoft Windows XP, including Service Pack 2.
The Jet DB engine vulnerability was reported to Microsoft more than seven months ago.
Malicious hackers have already exploited the flaw with a mail-borne Trojan that opens a back door on the compromised computer to allow a remote attacker unauthorized access.