Microsoft today said it will issue four security updates next week, only one of which is pegged as critical, to patch 22 vulnerabilities in Windows and Visio 2003.
Next Tuesday's patch lineup is smaller than June's, when Microsoft shipped 16 updates that fixed 34 flaws . The company typically delivers a lighter load in odd-numbered months. In May, for instance, Microsoft shipped just two updates — the company calls them “bulletins” — to patch only three vulnerabilities.
Of the four updates slated, one will be rated “critical,” the highest threat label in Microsoft's four-step scoring system, while the other three will be marked “important,” the second-most-dire ranking.
Next week's Patch Tuesday vulnerability count will be among the largest for the year, with its 22 bested only by April's 64 and June's 34, and tied with February's collection.
But the bugs-per-bulletins ratio is the highest for the year, observed Andrew Storms, director of security operations at nCircle Security, hinting of next week's releases.
“I think we'll see one bulletin with a very high number of vulnerabilities,” said Storms. “We've seen that happen several times this year, most recently last month when it patched eight bugs in Excel with one update.
In April, Microsoft patched 30 vulnerabilities in the Windows kernel device driver with a single bulletin, a record for one update.
Storms said that the multi-bug update coming next Tuesday may fix numerous “elevation of privilege” vulnerabilities or a large number of “DDL load hijacking” flaws.
The former describes a bug attackers can use to gain complete administrative control of a system that they can already access, perhaps through an exploit of a separate vulnerability. DLL load hijacking, on the other hand, is the term used for attacks that rely on tricking applications or operating systems into loading a malicious file with the same name as a legitimate DLL, or dynamic link library.
Microsoft has issued more than a dozen DLL load hijacking updates since last November. In May, the Slovenian firm Acros Security announced that more DLL load hijacking updates were necessary to plug holes in Windows 7 and Internet Explorer 9 (IE9). At the time, Microsoft said only that it was investigating the Acros report.
The sole critical update scheduled for next week affects Windows Vista and Windows 7, but does not impact the much older Windows XP or any of Microsoft's server operating systems.
Because Windows XP will be immune to the one or more vulnerabilities in that update, Storms said the bug had to be in code first used in Vista, then reused in Windows 7. He noted there are multiple candidates that fit the bill, including the security prompting component called UAC — for “user account control” — but said there wasn't sufficient information to take an educated guess.
Three of the four updates will address vulnerabilities in Windows, while the fourth will tackle problems in Microsoft Visio 2003, which was last patched in February.
The three updates that apply to Windows Vista will all patch bugs in Service Pack 1 (SP1), the edition set to head into retirement . Office XP, which will also be dropped from security support, has received its last fix: None of next week's four bulletins will affect that 10-year-old application suite.
And for the second month in a row, Microsoft's security updates likely won't lead the news.
“Last month more of the concerns were about the hacks of Sony Pictures and other sites,” said Storms. “And it looks like other stories will take the cake this month.”
Apple, for instance, faces a pair of “zero-day” vulnerabilities — unpatched bugs that are already being exploited — in the iOS mobile operating system that powers the iPhone and iPad.
“The focus for this month is not necessarily OSes and applications, but the constant stream of vulnerabilities being discovered in the mobile devices connected to our corporate networks,” said Paul Henry, security and forensic analyst at Lumension, in an email today. “Microsoft does not have exclusivity when it comes to issuing patches.”
Microsoft's security updates will be released at approximately 1 p.m. ET on July 12.