Microsoft today said it would issue six security updates next week, four of them critical, to patch 11 bugs in Windows, Internet Explorer, Office, SQL Server and its virtual private networking platform. One of the updates, labeled Bulletin 4, looks like the one that should top the to-do list next Tuesday when Microsoft ships its monthly security updates, said a security expert.
The quartet marked "critical," Microsoft's most dire threat ranking in its four-step scoring system, included Windows, Internet Explorer and Office updates, while the remaining pair were tagged "important," the second-level rating. Five of the six -- including one of those labeled as important -- will patch bugs that Microsoft said could be exploited by attackers to compromise PCs and plant malware on victimized machines.
"[Bulletin 4] is a head-scratcher," said Andrew Storms, director of security operations at nCircle Security. "Usually a bulletin covers developer tools or servers or Office, but whammo, here's one with everything."
Bulletin 4, according to Microsoft's advance notification advisory for April's Patch Tuesday, will affect Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime.
That's a lot of products, Storms said. "When administrators get this patch, the amount of due diligence necessary will be a lot more than the usual update," Storms said, talking about the internal testing enterprises usually conduct on Microsoft's fixes before deploying them to their machines.
While other researchers didn't rank Bulletin 4 as the most important update -- instead they highlighted Bulletin 1, the bi-monthly update for IE -- they did make note of the former. "Bulletin 4 will be challenging as it addresses a wide variety of applications including server side software," said Wolfgang Kandek, CTO at Qualys, in an email today.
Marcus Carey, a security researcher at Rapid7, called Bulletin 4 "interesting" and, like Storms and Kandek, cited the update's diverse targets as the reason.
Although Microsoft's bare-bones advanced notification did not specify the software module(s) that Bulletin 4 will patch, Storms speculated that it would be in the Microsoft Data Access Components (MDAC), a set of components that lets Windows access databases such as Microsoft's own SQL Server.
Microsoft last patched MDAC vulnerabilities in January 2011. The bugs fixed at that time, also pegged as critical, were in the MDAC ActiveX control that allows users to access databases from within IE.
Another component, dubbed "Dedicated Administrator Connection" (DAC), could also be at the root of the problem, since it also is associated with SQL Server. The DAC lets administrators access a running instance of SQL Server Database Engine for troubleshooting when the server is unresponsive.
Kandek called out the IE update as his top priority next week. The update, marked critical for all editions -- from the ancient IE6 to the one-year-old IE9 -- on Windows XP, Vista and Windows 7, will probably include fixes for several flaws if Microsoft adheres to its usual practice of combining multiple patches in its six browser updates each year.
Other updates will address vulnerabilities in all versions of Windows, both for desktops and servers, in Office 2007, in the still-supported Microsoft Works 9, and in Forefront Unified Access Gateway 2010, the company's VPN (virtual private networking) platform that lets enterprise workers connect with corporate applications when outside the office.
Works, which Microsoft dumped from its active product list more than two years ago, is guaranteed support until Oct. 9, 2012. Microsoft will release the six updates at approximately 1 p.m. Eastern time on April 10.
Adobe has also slated updates for its Reader and Acrobat PDF software that same day. The company will assign on those updates -- for Reader 9.5 and earlier, and Acrobat 9.5 and earlier -- a priority rating of "1," Adobe's highest. In this case, an Adobe spokeswoman confirmed Thursday, it does not mean that hackers are already exploiting one or more of the to-be-patched bugs, which is one criteria for the top ranking. Instead, she said, the "1" rating indicates Adobe believes those flaws "have a higher risk of being targeted ... once the update is released."