Microsoft Patches Windows Vista, XP, Office, IE

One of the Microsoft critical updates for next Tuesday affects every version of the Windows operating system, including Windows XP, Windows Server 2008 and Service Pack 1 for Windows Vista.

“That one has to be a pretty bad bug to be critical across the board like that,” said Andrew Storms, director of security operations at nCircle Network Security Inc. “I would have expected a drop in criticality for Vista SP1, and most certainly in Server 2008. Something should have mitigated the vulnerability.”

Microsoft gave no specific details in the monthly preview of next week’s “Patch Tuesday,” but did label each version of Windows as critical.

Microsoft uses a four-step scoring system to rank vulnerabilities it discloses and patches. Five of the eight bulletins will be pegged critical, while the remaining three will be rated “important,” the second-most-dire indicator.

In addition, planned for next Tuesday are multiple updates for Internet Explorer and Microsoft Office. One of the two IE-specific updates will plug one or more critical holes in IE7, the current production version of the company’s browser.

Both Visio and Project, two of the lesser-known applications in the Office line, will also be repaired by separate updates marked as important; most likely the vulnerabilities will be in those programs’ document file formats, Storms said.

Microsoft will also release a fix for vulnerabilities in VBScript and JScript that it had once scheduled for February but had yanked at the last minute. No explanation was given for its withdrawal at the time, and the update didn’t make it into the March batch.

The eight security updates will post Tuesday at around 1 PM EST, 10 AM PST. Users who have their “Auto Updates” turned on from Windows will receive them automatically.