14 DAY TRIAL // Microsoft will release a total of 11 security bulletins on April 13, 2010, as a part of the company’s monthly patch cycle. According to Jerry Bryant, group manager, Response Communications, no less than 25 vulnerabilities affecting Windows, Office and Exchange will be patched next week. Out of the 11 patch packages, no less than eight impact releases of the Windows operating system, two affect Office and one both Windows and Exchange.
In the Security Bulletin Advance Notification for April 2010, the Redmond company offers general details about the upcoming patches, enough so that IT professionals can make the necessary preparations for deployment, but not sufficient for attackers to do reverse engineering on the security updates before they become available.
“I also want to point out to customers that we will be closing the following open Security Advisories with next week’s updates: Microsoft Security Advisory (981169) - Vulnerability in VBScript Could Allow Remote Code Execution. Microsoft Security Advisory (977544) - Vulnerability in SMB Could Allow Denial of Service,” Bryant stated.
Five of the security bulletins coming next week have the highest severity rating of Critical, indicating that they will plug security holes that could allow for remote code execution in the eventuality of a successful exploit. All the Critical patches impact Windows.
There are two Critical security bulletins that will affect the latest iteration of the Windows client, Windows 7, the same as for Windows Vista SP2. There are no security updates planned for Office 2010, even though the next version of the productivity suite is close to RTM, with the business launch set for May. Microsoft traditionally only patches Critical vulnerabilities for pre-release software, and this is not the case for Office 2010.
Fact is that, if Microsoft hadn’t released the Security Bulletin MS10-018 - Cumulative Security Update for Internet Explorer (980182) at the end of March 2010, the company would have patched a total of 35 vulnerabilities on April 13th. MS10-018 was initially planned for next week, but was delivered early in order to resolve a zero-day vulnerability affecting Internet Explorer.