Microsoft will roll out a total of five critical patches for numerous versions of Windows operating systems in its upcoming September "Patch Tuesday" security update release, according to a Microsoft Advanced Notification bulletin posted Thursday.
All five patches plug holes that allow remote code execution, indicating that hackers could remotely exploit the vulnerabilities by launching malicious code to infiltrate users' PCs. Hackers often execute information-stealing malware for identity-theft activities, typically enticing users to click on infected links or visit a malicious site through some kind of social engineering scheme.
Of the five critical patches Microsoft plans to release, two require mandatory restarts, which is anticipated to cause some level of enterprise disruption, experts said.
Altogether, the patches target several versions of Windows, including Windows 2000, XP and Vista, as well as all three of Microsoft's server platforms 2000, 2003 and 2008. However, security experts speculate on whether the current critical patch load will also include fixes for Windows 7, scheduled for release Oct. 22, in light of the fact that the soon-to-be-released operating system shares a significant amount of code with Windows Vista.
"Given the significant amount of code shared between Vista and Windows 7, it is likely that some of these security bulletins could apply to Windows 7 or Server 2008 R2, but this is not addressed in the information released today by Microsoft," said Don Leatham, director of solutions and strategy for Lumension, in an e-mail.
What is likely not to be included in the Patch Tuesday bulletin is a fix for a recent security vulnerability affecting the FTP Service in Microsoft Internet Information Services 5.0. Microsoft released a security bulletin Tuesday warning users about the vulnerability after detailed exploit code was published on the Web.
If exploited, hackers could execute remote code on affected systems connected to the Internet and running the FTP service.
In an effort to help mitigate the vulnerability, the U.S. Computer Emergency Readiness Team (CERT) issued a warning Wednesday, advising IT administrators to disable anonymous write access to the FTP server, "although a proper impact analysis should be performed prior to taking defensive measures," CERT said in its advisory.
So far there are no known attacks exploiting the FTP vulnerability, however, Microsoft said it will continue to further investigate and monitor the situation. The vulnerability will likely be repaired in a monthly security bulletin or in an out-of-band patch.
