Microsoft's next Patch Tuesday will cover three vulnerabilities rated as ‘Critical' and ‘Important'.
The vulnerabilities are in Windows 2000, Server 2003, XP, Server 2008 and Windows Vista. The company has not disclosed the exact details of the patches, it is believed that the critical flaw was considered to be a critical risk across all versions of Windows, while one of the ‘important' patches would not affect systems running Windows XP and Windows Vista.
Alan Bentley, vice president of the strategic business unit for vulnerability management for Lumension, claimed that what was most interesting about the series of patches is that they affect all Windows Operating Systems, which are impacted by the remote code execution implying that it could be comprised through malicious code.
Bentley said: “The critical patch is going to be a huge undertaking. The broad platform impact of the bulletin suggests that core services of the Windows Operating System are to be modified rather than isolated application components. When working on the core infrastructure it opens up other applications to potential risk making a simple patch deployment impossible.
“To make sure this is secure, IT departments will have to do a scan of the entire system as well as reboot all Windows machines in the entire enterprise. When at the server software level, rebooting is a very disruptive event making servers further exposed to vulnerabilities.
“In order for this vulnerability to be removed, IT will have to bring down the servers with the additional challenge of continuing to maintain service level agreements. Given the breadth of this critical update, all resources at Microsoft are likely to be engaged in getting this patch precise.”
He also claimed that due to the two important updates affecting all Operating Systems, it's likely that all three patches are related. As vulnerabilities one and two have the exact same exposure, a definite link exists between the two.
Bentley said: “An important side note is that Microsoft didn't provide a patch for the Excel vulnerability announced in security bulletin 968272 that had known exploits. Regardless of this exclusion, there is no doubt that this Patch Tuesday presents a hefty load for IT requiring an intense amount of planning, work and execution to ensure that their enterprise devices are securely protected.”