Biggest set of updates in six months will fix Windows, IE, Excel and Word

By Gregg Keizer, ComputerWorld, April 9, 2009

Microsoft Corp. today said it will issue eight security updates on Tuesday, the most since October 2008, to patch problems in Windows, Internet Explorer (IE), DirectX, Excel, Word and the company’s security software.

Five of the eight updates will be labeled “critical,” Microsoft’s highest ranking in its four-step threat system, today’s notice said, while two will be pegged “important,” the next rating down, and one marked “moderate.” “It’s going to be a difficult month to set priorities for patching,” argued Andrew Storms, director of security operations at nCircle Network Security Inc. “There are updates for Windows, one that’s critical across the board, a browser update that affects everyone and an Office update. That’s a lot of different groups to juggle.”

Five of the eight updates will address flaws in Windows, with other updates tackling vulnerabilities in IE, Excel and the Internet Security and Acceleration server software. Three of the five Windows updates have been tagged critical, as have the IE and Excel updates.

The Excel update is probably a patch for the vulnerability in the spreadsheet program that Microsoft acknowledged nearly two months ago, said Storms. In late February, Microsoft issued a security advisory warning users that attacks were already in circulation, adding that all supported versions of Excel, including the latest — Excel in Office 2007 on Windows and in Office 2008 for the Mac — were affected.

At the time, Microsoft told users they could protect themselves by blocking Excel files from opening, a process that requires editing the Windows registry, or by running Excel 2003 documents through the Microsoft Office Isolated Conversion Environment, a tool the company launched in 2007.

Microsoft did not patch the Excel bug last month when it released its regularly scheduled updates on March 10.

“Nothing else here maps to any known vulnerabilities,” said Storms.

The IE update will patch IE 5.01, IE6 and IE7, but not the recently-released IE8, and was marked critical on the Windows client, important on the server side.

One of the five Windows updates is similar, in that it has been labeled critical for all versions, including Windows 2000, XP, Vista, Server 2003 and Server 2008. “It’s a big call-out whenever something’s critical for Vista and Server 2008,” said Storms, because that means the bug is in the software that Microsoft considers its most secure.

Storms also dubbed some of the updates “oddballs” based on the scanty information that Microsoft makes available prior to releasing updates. “The one they call ‘Windows 1’ affects both the operating system and Office,” he said. “That’s an oddball case, and I’ve been trying to think of what it could be. Maybe it’s something like XML or OLE, something that’s not only embedded in the OS but also used in the application.”

Microsoft said the Windows 1 update will affect older versions of Microsoft Word from Office 2000 and Office XP, but not from Office 2003 or Office 2007.

It’s likely that Microsoft will patch more than just eight vulnerabilities in the eight updates, said Storms. Microsoft often packs updates, those for IE and Office in particular, with several separate patches. “I think we’ll certainly see a lot of CVEs,” he said, referring to the Common Vulnerabilities and Exposures bug-naming system.

Storms expects that next Tuesday will be a rough day for IT and security administrators as they wrestle with the biggest Microsoft patch day in months. And there’s even more work for some.

“Just hope you don’t have Oracle [software] running, too, because they’re updating on Tuesday,” he said. Oracle is also slated to issue its quarterly security update on April 14.

Microsoft will issue April’s eight updates at approximately 1 p.m. Eastern time on Tuesday.