According to the Microsoft Security Response Center, Microsoft will issue 13 Security Bulletins addressing 26 vulnerabilities on Tuesday, and it will host a webcast to address customer questions about the bulletins the following day (February 10 at 11:00am PST, if you're interested). Five of the vulnerabilities are rated "Critical," seven are marked as "Important," and the last one is classified as "Moderate." All of the Critical vulnerabilities earned their rating through a remote code execution impact, meaning a hacker could potentially gain control of an infected machine. At least 10 of the 13 patches will require a restart.
The list of affected operating systems includes Windows 2000, Windows XP (x86 and x64), Windows Server 2003 (x86 and x64), Windows Vista (x86 and x64), Windows Server 2008 (x86 and x64), Windows 7 (x86 and x64), and Windows Server 2008 R2 (x86 and x64). In terms of the Microsoft Office suites, only older versions are affected: Office XP, Office 2003, and Microsoft Office 2004 for Mac.
Compared to last month's quiet Patch Tuesday, this one is quite a whopper. The exact breakdown of the bulletins is as follows:
•Bulletin 1: Critical (Remote Code Execution), Windows
•Bulletin 2: Critical (Remote Code Execution), Windows
•Bulletin 3: Critical (Remote Code Execution), Windows
•Bulletin 4: Critical (Remote Code Execution), Windows
•Bulletin 5: Critical (Remote Code Execution), Windows
•Bulletin 6: Important (Remote Code Execution), Office
•Bulletin 7: Important (Remote Code Execution), Office
•Bulletin 8: Important (Remote Code Execution), Windows
•Bulletin 9: Important (Denial of Service), Windows
•Bulletin 10: Important (Elevation of Privilege), Windows
•Bulletin 11: Important (Remote Code Execution), Windows
•Bulletin 12: Important (Denial of Service), Windows
•Bulletin 13: Moderate (Elevation of Privilege), Windows
If you're wondering, the 17-year-old Windows hole we reported on last month is indeed being plugged next week. As for the Internet Explorer flaw disclosed this week, Microsoft understandably isn't ready to patch it yet. What is worrying, however, is that Redmond says it is still working on a patch for the SMB flaw that can be used crash Windows 7 and Server 2008 R2 remotely. That was disclosed three months ago, so the company is lagging quite a bit with that one.
Along with these patches, Microsoft is also planning to release the following on Patch Tuesday:
•One or more nonsecurity, high-priority updates on Windows Update (WU) and Windows Server Update Services (WSUS)
•One or more nonsecurity, high-priority updates on Microsoft Update (MU) and WSUS
•An updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Microsoft Download Center
This information is subject to change by Patch Tuesday; Microsoft has been known to rush patches as well as pull them if it deems it necessary.