Microsoft has published the Microsoft Security Bulletin Advance Notification for December 2009. According to the notice, Microsoft will release a total of six new security bulletins next Tuesday for the final Patch Tuesday of 2009.
On the upside for Microsoft, that will bring the total for the year to 74 security bulletins--four fewer than the 78 security bulletins released in 2008. Of course, some patches correct multiple flaws and vulnerabilities, so the number of security bulletins is not an exact measure of the number of vulnerabilities patched.
Let's take a quick look at what to expect from Microsoft next week.
Critical Updates
There are three security bulletins rated as Critical, and three rated as Important. The Critical security bulletins affect Microsoft Windows, Microsoft Office, and Internet Explorer, while the Important security bulletins impact only Microsoft Windows and Microsoft Office.
Five of the security issues could potentially be exploited to allow remote execution of malicious code. Translated, that means the attacker could take control of the vulnerable PC over the Internet and install additional malicious software and tools. Several will require that the PC be rebooted to complete the installation of the applicable updates.
One security bulletin, rated as Important, affects Microsoft Office, including older versions such as Office XP and Office 2003. This security bulletin also impacts Microsoft Works 8.5 and the Office Converter Pack, which provides some backward file-viewing compatibility with the older Office 97 suite.
Windows 7 In the Clear
It is worth noting that Windows 7 is not affected by any of the six security bulletins. The security bulletin that addresses the Internet Explorer 8 zero-day flaw discovered after last month's Patch Tuesday has a peripheral impact on Windows 7, but the operating system itself is not targeted by any of the upcoming patches.
The recent KSOD (this is the acronym adopted for the "black screen of death" issue because BSOD is already part of the technology lexicon as "blue screen of death") issue hyped by Prevx is not addressed by any of the security bulletins. Microsoft is still investigating the root cause of the issue and may release a patch at a later date if it determines that the problem is a flaw in the operating system.
Next week will wrap up 2009 for the Microsoft security bulletins--barring any out-of-band updates that are sometime released on an emergency basis when a vulnerability is having a pervasive and immediate impact. It will be interesting to see what 2010 has in store.
Windows 7 is the most secure desktop operating system Microsoft has yet developed. With Windows 7 assuming the throne as the de facto flagship desktop operating system, it will be interesting to see what impact that will have on security in general and what sort of new methods attackers will come up with to try and circumvent the controls in Windows 7.
If you don't have Automatic Updates turned on in Windows, make sure you check Windows Update next Tuesday to download and install the patches and updates appropriate for your PC.