Microsoft To Release Critical Patches for Vista, XP, Office, IE, Visual Basic

IT pros better prepare to have their hands full next week as Redmond's February patch release is slated to roll out 12 security fixes -- seven rated "Critical," and five deemed "Important."

All of the seven critical items, like most patches in recent months, are designed to stave off remote code execution (RCE) bugs. As always, the advance notice isn't gospel as the nature, number and design of all of the patches (including most details) won't be known officially until Tuesday. But the preview is usually a pretty good indication of what's to come.

The first critical issue affects all Windows OS versions with the exception of Windows 2000 Service Pack 4.

Critical patch number two will be for Windows, Office and Visual Basic programs on all OS versions, although only Windows 2000 SP4, and all editions of XP and Vista, were labeled as "critical."

The third critical item is another Windows fix specifically dealing with exploits that would affect VBScript and Jscript language parameters on all OS versions but Vista. VBScript and Jscript are used mainly by Web developers working with Internet Explorer.

Speaking of IE, the popular browser is what the fourth bulletin in the critical group will mostly address. This fix is supposed to patch the system to prevent the intrusion of RCE-based bugs in all versions of IE up to and including IE7 for Vista.

The remaining three critical patches deal with MS Office Publisher versions 2000 to 2003, the whole Office suite of applications in Office 2000 SP3, and Microsoft Word 2000 SP3, respectively.

Meanwhile, the patches Redmond believes to be "important" deal with a more diverse scope of hacker risks. The five fixes comprise two denial of service attack plugs, one elevation of privilege risk, and two RCE considerations to round out the group.

The first important fix will affect all OS versions and their accompanying Active Directory Programs while Vista will not be affected. Conversely, the second item only affects Vista.

The third item, meanwhile, deals with elevation of privilege considerations in all Windows OS releases, as well as OS components such as MS Internet Information Services 5.0 and 6.0. Bulletin four, in the important group is likely a complement to the previous patch as it deals with IIS versions 5.1 and 6.0.

The last important fix for February's release is designed to address RCE exploits in all supported versions of Microsoft Works.

Of the 12 total patches, seven items will require restarts.

In addition to the large number of security patches compared with those issued last month, Microsoft will also release seven nonsecurity, high-priority updates on Microsoft Update and Windows Server Update Services, including its previously announced push of IE7.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.