Heavy Patch Tuesday Expected Tuesday
Windows operating systems and servers, plus Office applications, among the updates
The last "Patch Tuesday" of 2008 will be a busy one, with Microsoft planning to release eight fixes next week, including six "critical" and two "important" items in its December security rollout, the company announced today.
All but one the planned fixes in the December slate will be related to remote code execution (RCE) vulnerabilities found in Microsoft software. In addition, the company is indicating that all critical items in the patch will be RCE related. On top of that, there will be one elevation-of-privilege fix that Microsoft considers important.
Two of the critical fixes in the patch will apply to Windows operating systems. One will affect Microsoft Windows 2000 Service Pack 4, Windows XP, Windows Vista, and both 2003 and 2008 editions Windows Server. A second critical OS fix will just cover Vista and Windows Server 2003 and 2008.
Critical item number three appears to be yet another cumulative hotfix for Internet Explorer, affecting versions ranging from IE5.1 to IE6, as well as IE7.
The fourth critical item will patch Visual Basic applications affecting Microsoft Office FrontPage and Microsoft Office Project. The apps covered in this bulletin are Office FrontPage 2002 SP3, Office Project 2003 SP3, Office Project 2007, and Office Project 2007 SP1.
The last two critical items will be cumulative fixes for Microsoft Word and Excel.
Word 2000 SP3, Word 2002 SP3, and Word 2007 releases are affected. Other applications to get the critical fix include Word 2004 and 2008 for the Mac, Office Word Viewer, PowerPoint 2007, and Word for Microsoft Works 8.5.
Meanwhile, the critical fix for Excel touches Excel 2000 SP3, Excel 2002 SP3 and 2003 SP3, plus Excel 2007. Additionally, Excel 2004 and 2008 for Mac and Excel Viewer are on the slate to be patched.
The first fix among the important bulletins will be a cumulative update for SharePoint Server 2007 programs. This fix addresses an elevation-of-privilege vulnerability associated with this version of SharePoint. If left unpatched, an attacker could change a system's access parameters and possibly gain further entry.
The second important item will address plug-in vulnerabilities in most Windows Media Center applications. The roster of affected apps includes Windows 2000 Server, Windows Media Player 6.4 for Windows 2000 Server, Windows Media Format Runtime 7.1 and 9.0, and Windows Media Services 4.1. For those using Windows XP, the affected apps include Windows Media Player 6.4 along with Windows Media Format Runtime versions 9.0, 9.5, and 11.
For those using Windows Server 2003, the Windows Media Center components on the slate to be patched include Windows Media Player 6.4 and Windows Media Format Runtime 9.5.
Rounding out this vast list of important fixes, users of Vista and Windows Server 2008 will be patching Windows Media Format Runtime 11.
Five of the updates will require restarts.
Microsoft also provides information on general updates and other nonsecurity content in this knowledgebase article. It describes what to expect when getting updates via Microsoft Update, Windows Update, and Windows Server Update Services.
The December patch release will be a relatively hefty one, if all holds up. The advance notification is usually a good indication of what's to come.
-- Jabulani Leffall