Microsoft leaves users in dark over Patch Tuesday
Five patches but company sketchy on details
By Gregg Keizer | Computerworld US | Published: 06:27, 04 September 2009
Microsoft is to deliver five security updates for this month's Patch Tuesday. All the updates, to be delivered next week, will affect Windows and all will be ranked "critical," the company's highest threat rating.
Unlike some months when Microsoft provides its usual advance notification for upcoming updates, this time there weren't any hints of what may be coming, said Andrew Storms, director of security operations at nCircle Network Security.
"It's a foggy advance warning," said Storms. "I'm a little bit at a loss for words. There doesn't seem to be anything here that has been disclosed publicly."
That didn't stop Storms from speculating, though. "We could see another ATL update," he said, referring to the flaws in Active Template Library (ATL), a Microsoft code "library" that it and third-party developers use to create software.
Microsoft acknowledged the ATL vulnerabilities in July, when it issued two emergency updates to patch six bugs in its own software. Since then, it and several other vendors, including Adobe, have released additional patches for programs that inherited the ATL flaws.
"It wouldn't be surprising if Microsoft still had some ATL bugs to fix," said Storms, "although I think it's also likely that we'll see more third-party patches than ones from Microsoft."
As Storms said, four of the five updates apply to Windows Vista - all four of those are ranked critical - while the same four will also impact Windows Server 2008, the newest production version of Microsoft's server software. Three of those Server 2008 updates were pegged critical, while the fourth was rated as "important," the next-lowest threat level.
Windows 2000, Windows XP and Windows Server 2003 will also receive updates Tuesday.
"We usually don't expect to see Microsoft's new OSes to be critical," noted Storms. "It's also unusual that they're all for Windows. So this is out of the ordinary."
Microsoft won't be patching the just-revealed vulnerability in its popular Internet Information Services (IIS) Web server, according to Storms. "We couldn't expect Microsoft to patch it that fast," he said, reading the tea leaves of the advance notification to dismiss any thought that the bug in IIS 5.0, 5.1 and 6.0 will get a fix next week.
Even though Microsoft promised that it would patch IIS at some point, other analysts had said it was very unlikely that Microsoft would have an IIS patch ready in time.