Microsoft said that it will release four security updates next week to patch every supported version of the company's Office business suite. All four updates will be labelled "critical," the company's highest threat ranking.
The number of security bulletins Microsoft plans to issue on Tuesday, March 11, is substantially below last month's 11, but the Office-only nature of the updates is unusual, according to one security expert. "It's extremely rare," said Andrew Storms, director of security operations at nCircle Network Security. "This is the first time I've seen this, where not only are all the bulletins related to Office, but all are marked critical."
Microsoft's slate will patch Office 2000, Office XP, Office 2003, Office 2007, Office 2004 for Mac and Office 2008 for Mac, said the prepatch notice posted to the company's Web site this morning.
"But Office vulnerabilities aren't so rare that we shouldn't have expected something like this," said Storms. "Office has continued to play a pretty big role in Microsoft's security bulletins." Last month, in fact, four of the 11 updates plugged holes in the suite's applications.
Storms hesitated to guess at what vulnerabilities might be behind each update. "It's too early to tell if these involve publicly-known vulnerabilities. There's not enough information here." Still, some of the expected updates caught his eye.
Tagged Thursday in the prepatch notification as "Bulletin 2," one of the updates will repair Outlook, the suite's e-mail client. Judged "critical" by Microsoft, the fix will affect all currently-supported versions of Outlook, including Outlook 2007. "I was quite flabbergasted to see [the critical ranking on] Outlook 2007," said Storms. "That's bucking the trend, seeing something critical across the board."
Most Office updates slap a critical label on the oldest version of the bundle, Office 2000, but use less dire ratings on newer versions, thanks to Microsoft's work securing the applications -- notably their file formats. In the case of Outlook, however, the bug is pegged critical in all still-supported editions, from Outlook 2000 to Outlook 2007.
"That means it's probably not a format parsing problem," said Storms, referring to frequently-found vulnerabilities in Office's file formats, which attackers continue to leverage. "It looks to me like it's a problem more inherent to Outlook [itself], something deeper in the code."
Of the other three bulletins planned for next week, one appears to be a patch for an Excel file format flaw, a second also relates to the spreadsheet application, while the third deals with a bug in Office Web Components -- controls that let users publish spreadsheets, charts and databases to the Web, then view that content once it's published.
Missing from the March line-up, however, is a critical update that was dropped from the February list. None of the descriptions in Thursday's notice matched the bulletin addressing VBScript and JScript issues that Microsoft yanked at the last minute last month.
Microsoft will release the four updates next Tuesday around 1 p.m. Eastern time. It will also deliver three high-priority, non-security updates at the same time, the company said.