Windows administrators are going to be busy next week, as Microsoft plans to release a whopping twelve security patches for its products. The updates will include a fix for a widely reported vulnerability in Microsoft Word, as well as changes to the way Internet Explorer (IE) handles ActiveX that might cause headaches for some.
Nine of the patches will address vulnerabilities in the Windows operating system, some of which Microsoft rates critical. There will also be one "Important" fix for Microsoft Exchange, and two patches for Microsoft Office, including software that repairs the Word bug.
Last month hackers began e-mailing the Word malware to a handful of victims - mostly within government agencies or contractors - in a series of extremely targeted attacks, said Johannes Ullrich, chief research officer at the SANS Institute.
But as knowledge of the Word flaw has spread, researchers like Ullrich fear that it may be used in a more widespread attack. The vulnerability can be exploited to run unauthorised software on PCs, although users must first be first tricked into opening a maliciously encoded Word document.
Microsoft also plans to finalise changes to the way IE processes dynamic content using ActiveX. How IE responds to a 2003 patent lawsuit loss to the University of California and Eolas Technologies, is also being altered by Microsoft.
The changes will force developers to reprogram parts of their websites and intranets. Otherwise, IE will force users to click on a pop-up "tool tip" dialog box before being able to interact with things like Flash or QuickTime.
Microsoft has actually been rolling these changes into IE for months, but has offered users a "compatibility patch" that allowed IE to work on websites that had not been reprogrammed. With Tuesday's updates, though, there will be no way to avoid the ActiveX changes.
The biggest headache, however, will come from the sheer number of updates being released next week, said Susan Bradley, chief technology officer with Tamiyasu, Smith, Horn and Braun, Accountancy.
Complicating matters is the fact that these patches will be released in the middle of Microsoft's Tech-Ed user conference. "I'll be at Tech-Ed in Boston and deciding if I remotely patch over the weekend or not," said Bradley.