Fulfilling its May promise to provide more details in its “Security Bulletin Advance Notification,” Microsoft unveiled the new format in an advance alert issued last week. The upcoming “Patch Tuesday” on June 12 will include six security bulletins for Internet Explorer, Outlook Express, Windows, Vista’s Windows Mail and Visio, according to the release.
Microsoft ranks four out of the six security bulletins as critical, the highest threat rating possible, as they concern bugs that could allow hackers and other criminals to gain remote access of a Windows system.
Although advance notifications contain few specific details on upcoming fixes, analysts say the update is a must for bot enterprise and average Windows users.
“Any time there are critical ratings, we watch very carefully, and as a general practice all critical updates need to be deployed immediately,” Rich Mogull, a Gartner security analyst, told TechNewsWorld.
Of the four critical updates, one deals specifically with a gap in Windows Vista security. The fix deals with the operating system’s Windows Mail in both Windows Vista and Windows Vista x64. Of the remaining three critical updates, one spans several operating systems including Windows 2000 Service Pack (SP) 4, Windows XP SP2, Wndows XP Pro x64 Edition, Windows XP Pro x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP1 for Itanium-based Systems as well as SP2.
The third critical bulletin deals with a problem in several versions of Internet Explorer (IE), including IE 5.01 SP4 on Microsoft Windows 2000 SP4, IE 6 SP1 on Microsoft Windows 2000 SP4, IE 6 for Windows XP SP2, IE 6 for Windows XP Pro x64 SP2, IE 6 for Windows Server 2003 SP1 and SP2, IE 6 for Windows Server 2003 x64 Edition, IE 6 for Windows Server 2003 x64 Edition SP2, IE 6 Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, IE 7 for Windows XP SP2, IE 7 for Windows XP Professional x64 Edition, IE 7 for Windows XP Professional x64 Edition SP2, IE 7 in Windows Vista and IE 7 in Windows Vista x64.
The final critical update affects the Windows XP SP2, Windows XP Pro x64 and Windows XP Pro x64 Edition SP2.
The rest of the updates contain patches for vulnerabilities deemed “Important to Moderate” and “Low” for both versions of Outlook Express in Windows 2003 SP1 and SP2, Windows Server 2003 x64 Edition including SP2 as well as Visio 2002 and 2003.
Tuesday’s six anticipated updates will bring the number of Microsoft bulletins for the first six months of 2007 to 35. In 2006, for the same time period 32 bulletins were released.
The revamped advance notifications are a boon to enterprise IT personnel, as it gives them advanced notice and time to prepare for any major changes coming on the second Tuesday of each month from Microsoft, Chris Rodriguez, research analyst at Frost & Sullivan, said. The sentiment was echoed by Rob Ayoub, another Frost & Sullivan analyst.
“There are so many challenges associated with patching,” Ayoub told TechNewsWorld, “that their customers wanted more of a heads-up. It would be pretty stressful to come into work on the second Tuesday [of each month] and not know how bad it was going to be.”
The advance bulletins include brief descriptions of each update, its severity ranking, a description of its possible impact, if it can be detected by the Baseline Security Analyzer and the affected software. Now they also include a table that lists the updates, each affected Microsoft operating system or application and the level of severity.
The notices do not include any specific information on the vulnerabilities or potential workarounds. That level of detail will only be released when the updates are issued. That makes it hard to write about the fixes until more is known, Mogull said. “These preannouncements are just to prepare IT shops and don’t give enough information to understand what’s really going on.”