Microsoft's patching is going from one extreme to the other. While March had just three bulletins fixing four vulnerabilities, next week 17 bulletins are being issued, fixing 64 different vulnerabilties. This ties with December 2010 as the most bulletins, and takes the clear lead for number of flaws fixed.
Nine bulletins are critical, with all carrying the risk of remote code execution. The remaining eight are ranked important; six of these enable remote code execution, one allows privilege escalation, and the last can lead to information disclosure. Seven of the bulletins have mandatory restarts; the remainder "may" do so.
As well as the typical patches for Windows, Internet Explorer, and Office, a couple of the bulletins include more unusual patches. Specifically, the Office Web Apps and Visual Studio are both receiving fixes this month. Not included in the list of patched software is Internet Explorer 9; this latest browser version is apparently immune to the flaws affecting versions 6, 7, and 8 that will be patched next week.
Microsoft has also confirmed that these patches include fixes for the MHTML flaw publicly disclosed in January, and an SMB flaw disclosed in February. In March, the company announced that it had learned of limited, targeted attacks using the MHTML flaw. The SMB flaw carried a theoretical possibility of remote code execution, but the company felt that denial of service was the more likely outcome. As ever, the full list of resolved flaws won't be announced until next week.
# Rating Impact Affected software
1 Critical Remote Code Execution Internet Explorer 6/7/8, Windows XP/2003/Vista/7/2008 R2
2 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
3 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
4 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
5 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
6 Critical Remote Code Execution Office XP, Windows XP/2003/Vista/2008
7 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
8 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
9 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
10 Important Remote Code Execution Excel 2002 (Office XP)/2003/2007/2010, Office for Mac 2004/2008/2011, Excel Viewer, OpenXML File Format Converter for Mac, Office Compatibility Pack
11 Important Remote Code Execution PowerPoint Web App, PowerPoint 2002 (Office XP)/2003/2007/2010, Office for Mac 2004/2008/2011, PowerPoint Viewer, PowerPoint Viewer 2007, OpenXML File Format Converter for Mac, Office Compatibility Pack
12 Important Remote Code Execution Office XP/2003/2007, Office for Mac 2004/2008, OpenXML File Format Converter for Mac
13 Important Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
14 Important Remote Code Execution Visual Studio .NET 2003/2005/2008/2010, Visual C++ Redistributable 2005/2008/2010
15 Important Information Disclosure Windows XP/2003/Vista/2008/7/2008 R2
16 Important Remote Code Execution Windows XP/2003
17 Important Elevation of Privilege Windows XP/2003/Vista/2008/7/2008 R2
The bulletins will be released on Tuesday at 10:00am PST, and there will be the usual webcast the following day at 11:00am PST (apparently, in spite of Redmond now being on PDT) to address customer questions.
Nine bulletins are critical, with all carrying the risk of remote code execution. The remaining eight are ranked important; six of these enable remote code execution, one allows privilege escalation, and the last can lead to information disclosure. Seven of the bulletins have mandatory restarts; the remainder "may" do so.
As well as the typical patches for Windows, Internet Explorer, and Office, a couple of the bulletins include more unusual patches. Specifically, the Office Web Apps and Visual Studio are both receiving fixes this month. Not included in the list of patched software is Internet Explorer 9; this latest browser version is apparently immune to the flaws affecting versions 6, 7, and 8 that will be patched next week.
Microsoft has also confirmed that these patches include fixes for the MHTML flaw publicly disclosed in January, and an SMB flaw disclosed in February. In March, the company announced that it had learned of limited, targeted attacks using the MHTML flaw. The SMB flaw carried a theoretical possibility of remote code execution, but the company felt that denial of service was the more likely outcome. As ever, the full list of resolved flaws won't be announced until next week.
# Rating Impact Affected software
1 Critical Remote Code Execution Internet Explorer 6/7/8, Windows XP/2003/Vista/7/2008 R2
2 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
3 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
4 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
5 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
6 Critical Remote Code Execution Office XP, Windows XP/2003/Vista/2008
7 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
8 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
9 Critical Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
10 Important Remote Code Execution Excel 2002 (Office XP)/2003/2007/2010, Office for Mac 2004/2008/2011, Excel Viewer, OpenXML File Format Converter for Mac, Office Compatibility Pack
11 Important Remote Code Execution PowerPoint Web App, PowerPoint 2002 (Office XP)/2003/2007/2010, Office for Mac 2004/2008/2011, PowerPoint Viewer, PowerPoint Viewer 2007, OpenXML File Format Converter for Mac, Office Compatibility Pack
12 Important Remote Code Execution Office XP/2003/2007, Office for Mac 2004/2008, OpenXML File Format Converter for Mac
13 Important Remote Code Execution Windows XP/2003/Vista/2008/7/2008 R2
14 Important Remote Code Execution Visual Studio .NET 2003/2005/2008/2010, Visual C++ Redistributable 2005/2008/2010
15 Important Information Disclosure Windows XP/2003/Vista/2008/7/2008 R2
16 Important Remote Code Execution Windows XP/2003
17 Important Elevation of Privilege Windows XP/2003/Vista/2008/7/2008 R2
The bulletins will be released on Tuesday at 10:00am PST, and there will be the usual webcast the following day at 11:00am PST (apparently, in spite of Redmond now being on PDT) to address customer questions.