February 05, 2009, 2:47 PM — Microsoft plans to patch critical flaws in its Internet Explorer and Microsoft Exchange Server software next week.
In total, the company will issue four security updates, including two critical fixes as well as patches for Microsoft SQL Server and its Microsoft Office Visio, the company said in a note published on its Web site Thursday. Although hackers could theoretically exploit bugs in all of these products to run unauthorized software, Microsoft rates the SQL Server and Office flaws as less severe.
The SQL Server flaw may be a known issue that Microsoft acknowledged late last year. Security experts had been expecting Microsoft to patch this flaw in February. According to the researcher who disclosed the SQL issue, Microsoft has known about it since April and wrote its initial patch for the bug back in September.
It often takes Microsoft months, however, to run security fixes through its testing and quality assurance process.
It seems likely that Microsoft will finally patch the SQL issue, according to Andrew Storms, director of security operations with security vendor nCircle. That's because the list of affected software in the SQL patch is the same as the platforms Microsoft listed in its December alert on the SQL patch, he said.
Microsoft has also acknowledged an issue in its WordPad Text Converter, although that does not appear to be on the slate for next week.
Microsoft hasn't released a lot of patches in 2009. Last month it released just one update, a fix for a critical bug in the Windows Server Message Block (SMB) file and print service.
The February updates are due next Tuesday, Microsoft's regularly scheduled date for delivering its monthly security patches.
