Microsoft to fix 13 holes in Windows, IIS, and Office

Microsoft will issue nine bulletins fixing 13 vulnerabilities on Tuesday that affect Windows, Internet Information Services, and Microsoft Office, the company said on Thursday.

Four of the bulletins are rated "critical" and the rest are rated "important," according to the Microsoft Security Response Center blog.

Affected software includes Windows XP, Vista, and Windows 7; Windows Server 2003 and 2008; and Office XP, 2003, and 2007, with the older versions affected by the critical bulletins, according to the security advisory announcing the plans for September's Patch Tuesday.

"Organizations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them," said Don Leatham, senior director of solutions and strategy at Lumension. "Organizations stuck on Windows XP and Server 2003 need to take a hard look at the cost and risk factors associated with staying on these dated platforms."

It's possible that some of the bulletins will address a flaw in the way Windows handles DLL (dynamic-link library) files, that has been used in attacks in the wild. Microsoft has released a tool that allows system administrators to mitigate the risk from the vulnerability.

"I expect some of the bulletins to address DLL Hijacking issues in Microsoft's own products, but it will be interesting to see if Microsoft will change its guidance for Hotfix KB2264107," said Wolfgang Kandek, chief technology officer at Qualys. "Currently it is only at the advisory level and users have to make an active decision to get protection against DLL Hijacking in third-party applications."