July Patch Tuesday Brings 22 Bug Fixes From Microsoft

Microsoft will release four bulletins next week for vulnerabilities in Windows and the Office productivity suite

Microsoft plans to fix 22 bugs across four vulnerabilities in July’s Patch Update release next week.

One bulletin has a maximum severity rating of “critical” and the remaining three are rated “important”, Microsoft said in its Patch Tuesday advance notification. The critical bulletin addresses vulnerabilities that can result in remote code execution attacks against Windows Vista SP1, Vista SP2 and Windows 7.

The critical bulletin and two of the important bulletins address security holes in all supported versions of the Windows operating system, including Windows XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2.

A ‘Rather Disruptive’ Patch Tuesday

The final bulletin will fix security issues in Microsoft Visio 2003 Service Pack 3 that could be exploited remotely to execute code. This patch will likely be the second-highest priority for administrators to deploy, Amol Sarwate, a vulnerability labs manager at Qualys, said.

This month’s Patch Tuesday release is expected on July 12.

Even though it has only a quarter of the bulletins that last month’s update package has, July’s release is “rather disruptive”, as the patches affect the operating system and require a restart, Paul Henry, a security and forensic analyst at Lumension, told eWEEK.

Even so, many companies will have a relatively easier time with the updates because of the “limited exposure” of affected software, so they will not have to install all the patches, Sarwate said.

“Although this is a ‘light’ Patch Tuesday month, it is important to keep an eye out for any non-Microsoft vendors releasing new updates,” said Jason Miller, manager of the research and development team at VMware. For example, Oracle is expected to issue its scheduled quarterly Critical Patch Update on July 19.

Constant Stream Of Updates

Lumension’s Henry agreed with Miller, noting the “constant stream of vulnerabilities” being discovered in mobile devices, including the PDF flaw recently uncovered for iOS devices and the zero-day in Hewlett-Packard’s new TouchPad. Apple said it will roll out a fix for the mobile Safari Web browser in a future update.

“The point here is that Microsoft does not have exclusivity when it comes to issuing patches,” Henry said. Administrators need to stay on top of the updates from all the vendors they work with, he said.

Microsoft is also expected to retire Office XP and Windows Vista Service Pack on July 1, 2012, the company has announced. After this Patch Tuesday, Microsoft will stop issuing security updates for the productivity suite from 2001 and Vista SP1. Office XP was last patched in June’s update.

Vista users can continue getting updates by installing SP2, which was released May 2009, and mainstream support will be available until April 2012. Office XP users can upgrade to Microsoft Office 2010, or even to Office 2007 Service Pack 2 or Office 2003 Service Pack 3, Microsoft said. Security updates will be available for Office 2007 SP2 and Office 2003 SP3 until April 2017 and April 2014, respectively.

Microsoft generally supports software for 10 years and issues security updates during that entire time period, but security updates are generally available only for the first five years. Updates during the last five years are available only to users who paid for special support contracts.