Microsoft's monthly patch update, which will be released next week, looks set to fix nine flaws, and all but one affect Windows.
Five of the flaws are pegged 'critical', the company's highest threat rating, while the remaining four are marked 'important. Of the nine updates, eight affect various versions of Windows, while the ninth deals with vulnerabilities in Office, Visual Studio, Internet Security and Acceleration Server (ISA Server), BizTalk Server and other products.
One of the eight Windows updates also affects what Microsoft dubbed 'Client for Mac'. It refers to Remote Desktop Connection Client for Mac, software that lets Mac users connect to Windows-based machines.
"It won't be a go-take-a-nap month," said Andrew Storms, director of security operations at nCircle Network Security. "The good thing is that we're not looking at a lot [of vulnerabilities] in the public domain, so that should give everyone some time, a week or two at least, to test the updates before they deploy them."
One of the nine bulletins, however, appears to address the only unsolved issue Microsoft has publicly acknowledged: one or more flaws in its Microsoft Office Web Components (OWC).
"The outstanding bug we know [exists] they disclosed July 13," Storms said. "And Bulletin 1 today is the only one that affects the Office Web Components. I'd say that Microsoft's on track to patch that this month."
Last month, Microsoft issued a security advisory related to OWC, saying that hackers were already exploiting an unpatched, critical vulnerability in a company-made ActiveX control, putting people running Internet Explorer (IE) at risk. The flawed ActiveX control is used by IE to display Excel spreadsheets in the browser.
Microsoft's advisory went out the day before its regularly-scheduled July batch of security updates; most analysts had not expected to see a fix make the July slate.
Just over a week ago, Microsoft rushed a pair of emergency updates to users that plugged multiple holes in IE and Visual Studio. Those vulnerabilities were traced to ATL, a library used by Microsoft and an unknown number of third-party developers to create ActiveX controls and application components.
Adobe, for instance, admitted its Flash Player and Shockwave Player were developed using the buggy ATL, and updated both applications late last week after recompiling them with a patched ATL.
"I wonder if we aren't looking at an entire month of ATL fixes," said Storms.
"One thing I noticed at Black Hat [was that] I didn't see any MSRC [Microsoft Security Response Center] people at the Dowd et al talk when they talked about this [ATL] bug," he added, referring to the Las Vegas security conference that wrapped up a week ago.
"[That] would lead one to believe that [Microsoft had] already worked the issue internally [and that] it was behind them."
But it's impossible to tell the specific components within Windows that Microsoft will patch, and thus what risk users face, until next Tuesday, Storms argued.
"It looks like they'll be patching core parts of the operating system," he said. "Sometimes that's a little more worrisome than when Microsoft patches a single application, like IE, because if there's a problem with the patch, the entire OS could go down into a Blue Screen of Death."