Computerworld - Microsoft today said it will issue four security updates next week, only one of which is pegged as critical, to patch 22 vulnerabilities in Windows and Visio 2003.
Next Tuesday’s patch lineup is smaller than June’s, when Microsoft shipped16 updates that fixed 34 flaws. The company typically delivers a lighter load in odd-numbered months. In May, for instance, Microsoft shipped just two updates — the company calls them “bulletins” — to patch only three vulnerabilities.
Of the four updates slated, one will be rated “critical,” the highest threat label in Microsoft’s four-step scoring system, while the other three will be marked “important,” the second-most-dire ranking.
Next week’s Patch Tuesday vulnerability count will be among the largest for the year, with its 22 bested only by April’s 64 and June’s 34, and tied with February’s collection.
But the bugs-per-bulletins ratio is the highest for the year, observed Andrew Storms, director of security operations at nCircle Security, hinting of next week’s releases.
“I think we’ll see one bulletin with a very high number of vulnerabilities,” said Storms. “We’ve seen that happen several times this year, most recently last month when it patched eight bugs in Excel with one update.
In April, Microsoft patched 30 vulnerabilities in the Windows kernel device driver with a single bulletin, a record for one update.
Storms said that the multi-bug update coming next Tuesday may fix numerous “elevation of privilege” vulnerabilities or a large number of “DDL load hijacking” flaws.
The former describes a bug attackers can use to gain complete administrative control of a system that they can already access, perhaps through an exploit of a separate vulnerability. DLL load hijacking, on the other hand, is the term used for attacks that rely on tricking applications or operating systems into loading a malicious file with the same name as a legitimate DLL, or dynamic link library.
Microsoft has issued more than a dozen DLL load hijacking updates since last November. In May, the Slovenian firm Acros Security announced thatmore DLL load hijacking updates were necessary to plug holes in Windows 7 and Internet Explorer 9 (IE9). At the time, Microsoft said only that it was investigating the Acros report.
The sole critical update scheduled for next week affects Windows Vista and Windows 7, but does not impact the much older Windows XP or any of Microsoft’s server operating systems.
Because Windows XP will be immune to the one or more vulnerabilities in that update, Storms said the bug had to be in code first used in Vista, then reused in Windows 7. He noted there are multiple candidates that fit the bill, including the security prompting component called UAC — for “user account control” — but said there wasn’t sufficient information to take an educated guess.