Microsoft will issue six security updates this week for Windows, Internet Explorer, Outlook Express, Windows Mail and Visio, the company has announced using its new expanded format for advanced warnings.
Four of the six bulletins scheduled for Tuesday, June 12, will be ranked "critical" — Microsoft's highest threat rating — while one each will be labelled "important" and "moderate." Half of the batch affect Windows Vista, or one of its components, such as Internet Explorer 7 or the Windows Mail email client; of the three Vista patches, two are pegged critical.
The advanced notification pinned Windows with three updates, Internet Explorer with one, Outlook Express and Windows Mail with one, and Visio 2002 and Visio 2003 with one.
This was the first early warning in the new, more detailed format that Microsoft promised last month when it said customers asked for additional information to plan their patching schedules. Each of the six expected updates was recapped with short description, severity rating, description of potential impact, whether the Baseline Security Analyser will detect patch need, and the affected software.
A separate table broke down the last by Windows version or component, with individual entries, for instance, representing Windows XP SP2, Windows Vista, Windows Vista 64-bit, IE 6 for XP SP2, and IE 7 for Vista. If nothing else, this table gave users a much clearer picture of what is vulnerable, and how severe the bug may be for each edition of Windows. For example, the table showed that Vista will receive fixes for critical bugs in Vista's Internet Explorer 7 and Windows Mail.
Seven non-security updates classified "high priority" will also be unveiled on Tuesday via Windows Update and Windows Server Update Services (WSUS), said Microsoft.
The exact number of vulnerabilities patched by each update — many of Microsoft's bulletins plug multiple holes — the nature of the vulnerability, and possible workarounds, however, remained missing. As before, users will have to wait until the bulletins are released for these details.
Even with the new information, it was impossible to predict all of Tuesday's results in advance. Microsoft's Visio 2002 and Visio 2003, for example, have no known unpatched vulnerabilities, so the bug was either found internally by Microsoft or reported privately to the company. Likewise with the Outlook Express/Windows Mail patch; Secunia ApS lists no known bug capable of remote code execution.
The improved clues, however, pointed to at least one open Windows bug. eEye Digital Security reported a remote code vulnerability in Windows 2000, XP, and Server 2003 to Microsoft in late March; those characteristics match one of the six bulletins planned for next week.
Assuming Microsoft releases all six updates, users will have faced 35 bulletins in the first half of 2007, three more than the 32 in the first six months last year.
Tuesday's updates will be available for manual download from the Microsoft website about 1 pm PDT.