Microsoft set to patch Word, ActiveX

Windows administrators are going to be busy next week, as Microsoft plans to release twelve security patches for its products. The updates will include a fix for a widely reported vulnerability in Microsoft Word, as well as changes to the way Internet Explorer (IE) handles ActiveX that might cause headaches for some.

Nine of the patches will address vulnerabilities in the Windows operating system, some of which Microsoft rates critical. There will also be one "Important" fix for Microsoft Exchange, and two patches for Microsoft Office, including software that repairs the Word bug.

Last month hackers began e-mailing the Word malware to a handful of victims -- mostly within government agencies or contractors -- in a series of extremely targeted attacks, said Johannes Ullrich, chief research officer at the SANS Institute.

But as knowledge of the Word flaw has spread, researchers like Ullrich fear that it may be used in a more widespread attack. The vulnerability can be exploited to run unauthorized software on PCs, although users must first be first tricked into opening a maliciously encoded Word document.

Microsoft also plans to finalize changes to the way IE processes dynamic content using ActiveX. Microsoft is changing the way IE works in response to a 2003 patent lawsuit loss to the University of California and Eolas Technologies Inc.

The changes will force developers to reprogram parts of their Web sites and intranets. Otherwise, IE will force users to click on a pop-up "tool tip" dialog box before being able to interact with things like Flash or QuickTime.

Microsoft has actually been rolling these changes into IE for months, but has offered users a "compatibility patch" that allowed IE to work on Web sites that had not been reprogrammed. With Tuesday's updates, though, there will be no way to avoid the ActiveX changes.

The biggest headache, however, will come from the sheer number of updates being released Tuesday, said Susan Bradley, chief technology officer with Tamiyasu, Smith, Horn and Braun, Accountancy Corp.

Complicating matters is the fact that these patches will be released in the middle of Microsoft's Tech-Ed user conference. "I'll be at Tech-Ed in Boston and deciding if I remotely patch over the weekend or not," Bradley said via e-mail.