Six Patches Coming on Patch Tuesday

Microsoft will issue six security patches next Tuesday, of which at least two will have a rating of critical. Missing from this list is a patch for a recently discovered zero-day flaw in Word: no updates are scheduled for the Office suite.

All of the patches except one will fix various issues for the Windows operating system, with one of those being critical. The sixth will be a critical patch for users of Microsoft's Visual Studio programming application.

While Microsoft never discloses the nature of the patches in order to protect users, sometimes past disclosures of vulnerabilities can give clues to the company's moves. For example, the Visual Studio flaw may deal with an exploit first disclosed in early November.

That vulnerability apparently put users at a possible risk for remote code execution, say experts.

Left unpatched is a zero-day exploit for Word 2003 and earlier versions. Earlier this week, the US-CERT team from the Dept. of Homeland Security warned that a previous patch seemed to be ineffective against a "malformed string vulnerability" within those applications.

Microsoft said that it was working on correcting the new vulnerability, but apparently the new exploit had been disclosed late enough that the company was not able to issue a patch in time for next Tuesday. It would not be out of the ordinary, however, for the company to release an out-of-cycle patch.

In addition to the security update, Microsoft also plans to issue an updated version of the Microsoft Windows Malicious Software Removal Tool.

Besides the security updates, Patch Tuesday will be quite busy on the non-security patch front. Four high-priority updates will be released through Windows Update, with 10 coming through Microsoft Update, the company said in its monthly advisory.