Microsoft Corp. plans to hand customers nine security updates Tuesday, patching flaws in Windows, Office, IE, Virtual PC and XML Core Services. Six updates will address critical vulnerabilities attackers could exploit remotely to run malicious code on targeted machines.
Microsoft Windows, including Vista will be among the software being updated according to the security updates Microsoft announced on its TechNet site Thursday. Other fixes will target security holes in Microsoft Office, Internet Explorer, Visual Basic, Virtual PC and Virtual Server.
Microsoft typically describes critical flaws as those attackers could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts.
Meanwhile, the software giant will release several non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and two non-security, high-priority updates for Windows on Windows Update (WU) and Software Update Services (SUS). And, as it does every month, the company will update its malicious software removal tool.
Last month, Microsoft released six security updates, three of which addressed critical flaws in Excel, Windows and the .NET Framework.
The exploits of August While there's no indication this month will be more problematic for IT administrators than usual, there is a history of trouble following Microsoft's August patch releases.
Last year, the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 security update as soon as possible because the Windows Server Services flaw addressed in the update was considered highly wormable. Within days of the patch release, attackers were targeting the flaw with malware in a bid to expand their IRC-controlled botnets.
Two years ago, security experts sounded the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its MS05-039 security update. Attackers exploited the flaw a few days later with the Zotob worm.
And in July 2003, Microsoft released MS03-026 to patch the RPC-DCOM flaw. By early August, the Blaster worm was using the flaw to tear up cyberspace.
Some have theorized that August tends to be a bad month because attackers like to strike when a lot of IT professionals are on summer vacation. Others believe it's because hackers like to use Microsoft's August flaws to try out attack methods they picked up at the Black Hat and Defcon conferences, which are held each year at the beginning of August.
