Microsoft yesterday said it would shipsix security updates next week, just one critical, to patch sevenexposures in Windows and a couple of for-developers-merely programs.This year's March Patch Tuesday will characteristics three moreupdates and three more patches as compared to the same month in 2011,but will fix fewer bugs as compared the March roster in each of theyears 2008-2010, according to records kept by Andrew Storms, directorof security operations at nCircle Security.
One of the six updates was tagged"critical," the highest threat ranking in Microsoft'sfour-label system, while four were marked "important," thesecond-level rating, and the sixth as "moderate." One ofthe crucial updates, as well as the sole critical one, will patchbugs that Microsoft confirmed could be exploited by attackers tocompromise PCs and plant malware on buncoed machines.
Storms attempted to parse the limitedinformation Microsoft revealed in the advance notification for PatchTuesday but arrived up mostly empty. "Overall, there is not muchto go on here as we feel to be rear to lower numbers on a downmonth," said Storms throughout an instant message interview.
Storms was mentioning to Microsoft'shabit of emerging a higher number of updates in even-numbered months.
In February, Microsoft launched ninesecurity updates -- called "bulletins" in its parlance --that patched 21 vulnerabilities. Depended upon what Microsoftdisclosed yesterday, Storms and other security experts pegged"Bulletin 1," the single critical update, like the one mostusers should apply first.
"It's rare to detect a bulletinthat transcends every versions of Windows," said Storms,mentioning to that update's applicability -- and critical rating --for all from Windows XP to Windows 7, Server 2003 to Server 2008 R2."Either it's a serious bug in code that was never touched duringall the reworks from XP all the way to Windows 7, or what we haveacquired here is a bulletin on multiple bugs grouped together. Itcould be one vulnerability affecting older editions and another forthe newer versions."
Wolfgang Kandek, the chief technologyofficer at Qualys, and Alex Horan, senior product manager forsecurity intelligence at Core Security, also tagged that update asthe most important of the month.
In an email Thursday, Horan calledBulletin 1 a potential "Holy Grail of exploit" because itwill patch all editions of Windows, and thus will make a lucrativetarget for cyber criminal researchers searching for ways to hack PCs.
Bulletin 3, said Microsoft, as wellaffects every supported editions of Windows, while the underlyingflaw could be applied by hackers just to obtain additional rights.thus-called "elevation of privilege" vulnerabilities arefrequent applied by hackers in conjunction on other exploits to gainwider access to a computer or the network it is on.
Storms also called out Bulletin 3,which applies to Windows Server software, but not the client editionsfor desktops and notebooks. "We have watched Server-justbulletins earlier," he said, "which creates sense, as theServer versions of Windows use different services. It is likely wewill watch the bug in some area that can just be installed on Server,[making] this of interest to the server ops guys at the table."
Besides the four Windows updates,Microsoft will as well matter bulletins targeting bugs in VisualStudio 2008 and 2010, and Expression Design. The latter is aprofessional-grade illustration and plan tool for creating andediting images for websites that, according to Microsoft's records,has never received a security update. Bulletin 5, the one purposed atExpression Design, will address a bug that hackers could apply toexecute attack code.