Microsoft plans nine updates on patch day
Microsoft plans to release nine updates on next Tuesday's patch day, six of which fix critical security vulnerabilities. Bugs are present in all Windows operating systems, Internet Explorer, the Office package, Visual Basic, Windows Media Player, Microsoft Virtual PC and Virtual Server. Eight of the vulnerabilities allow attackers to execute injected malicious code. In Virtual PC 2004 and Virtual Server 2005, attackers can escalate their privileges.
The Redmond-based company plans a patch to fix a critical bug, of which it gives no further details, in Windows 2000, XP SP2, XP 64 bit, Server 2003 SP1, Server 2003 64 bit and Server 2003 SP1 for Itanium systems. Microsoft is also fixing further critical vulnerabilities in Internet Explorer. One of the vulnerabilities is even classified as critical in all version of IE from 5 to 7 under all supported operating systems, from Windows 2000 to Vista. A further security vulnerability affecting XML Core Services versions 3, 4 and 6 is classified as critical under Windows 2000, XP, XP 64 bit, Vista and Vista 64 bit, but as merely moderate under Windows Server 2003. XML Core Services 5 also gives rise to critical vulnerabilities in Office 2003, 2007, Office Groove Server 2007 and in Sharepoint Server.
One update fixes a critical security vulnerability in Office 2000, which is, however, merely classified as important in Office XP and 2003 and in Excelviewer 2003. Visual Basic 6 under Windows 2000 und XP including the 64 bit version contains a vulnerability classified as critical. Under Windows Server 2003, however, Microsoft classifies the risk as moderate. Vista is apparently not affected. One of the updates does, however, fix a vulnerability which exclusively affects Vista and the 64 bit version of Vista, and has been classified by the software group as important. A bug in Windows Media Player 7.1, 9, 10 and 11 also receives the classification 'important'.
Although Microsoft is now giving some details of the products and operating systems affected in its patch day advance notifications, it is difficult to determine which known security vulnerabilities are to be fixed by the updates. It is, however, probable that the vulnerability discovered in mid June arising from a faulty ActiveX control in Office 2003 will remain open, as none of the bug descriptions appear to allude to a fix for this problem.
- Microsoft Security Bulletin Advance Notification for August 2007, security advisory from Microsoft