Microsoft to Patch Dirty Dozen in February Update

By Matt Hines Print this article Print

The software giant says it will drop 12 security updates for its customers on Feb. 13, its largest batch of product bulletins since August 2006.

Microsoft reported Feb. 8 that it will ship a dozen security bulletins, including five updates meant to fix critical Windows flaws, as part of its monthly Patch Tuesday updating process on Feb. 13.

The software giant, based in Redmond, Wash., indicated that it will deliver its largest array of security updates in a single month since it addressed 12 individual product flaws in August 2006.

Microsoft plans to patch at least five issues in its Windows operating systems that have been ranked critical, its most severe vulnerability rating, and to address an additional pair of critical flaws in its Office productivity suite.

The company's Patch Tuesday preview on its security Web site does not offer specific details of the problems it plans to fix.

Among the factors contributing to the unusually high volume of February patches could be the discovery of four vulnerabilities it had planned to address in its January 2007 security bulletins. Microsoft surprised security researchers by deciding not to fix those vulnerabilities in the January update, including a weakness in its Visual Studio package that the company had originally committed to patching.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

It was unclear whether one of the critical Office security flaws that Microsoft plans to issue patches for Feb. 13 is a vulnerability being used in a wide number of targeted zero-day attacks. With researchers having recently identified at least five known unpatched Office file format flaws, it does appear that some of those problems may not be fixed by the upcoming shipment of bulletins.

Another candidate for patching could be a hole in the Excel spreadsheet program that is currently being exploited through so-called zero-day attacks, although the issue was only reported by researchers at anti-virus specialist Symantec on Feb. 7.

In addition to the Windows and Office updates, Microsoft said it plans to release updates for a critical issue found in a wide number of its own security programs, including its Windows Live OneCare, Microsoft Antigen, Windows Defender, Forefront Security for Exchange Server and Forefront Security for SharePoint applications.

Click here to read more about Symantec's discovery of a zero-day flaw in Microsoft Excel.

A bulletin meant to fix a critical problem in the Microsoft Data Access Components technology is also slated for delivery, bringing the total number of critical vulnerabilities expected to be addressed in the February Patch Tuesday release to nine.

Microsoft reported that it would pass along patches addressing a problem in Windows and Visual Studio that is rated "important," along with another important flaw present in Windows and Office. The final expected update will target an important vulnerability in Microsoft's Step-by-Step Interactive Training package.

The software maker will also issue two product bulletins via its Windows Update and Software Update Services and eight releases via its Microsoft Update and Windows Server Update Services that are unrelated to security.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

This article was originally published on 2007-02-08
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.