Microsoft is to release six patches for 11 vulnerabilities as part of its April security update, scheduled for today.
Four of the six fixes on its monthly Patch Tuesday will be rated as ‘critical' and address flaws in Windows, Internet Explorer (including version 9), Office, SQL Server and server software and developer tools.
Three of critical patches plug holes for Windows 7. The remaining two patches, deemed ‘important', fix holes in the Forefront United Access Gateway product and Office.
Andrew Storms, director of security operations at nCircle, said: “So far this year, Microsoft has been issuing a fairly stable number of Patch Tuesday bulletins every month. We saw seven bulletins in January, nine in February and six in both March and April. This is quite a bit different than their historical pattern of dramatic swings in bulletin volume from month to month.
"Next week we'll be getting our standard Internet Explorer patch. It's questionable whether or not we'll get a patch for the Pwn2Own bug we heard so much about in early March in this update. Historically, Microsoft's development cycle is about 30 days for a regular IE patch, so it seems unlikely we'll get a patch for this bug next week.
“Bulletin number four has the potential to cause IT security teams some serious headaches because it covers Office, SQL Server, Biztalk, Commerce Server, Visual FoxPro and Visual Basic. Any time a bulletin covers such a wide range of products, IT security teams have to pause and think hard about deployment. It also requires some rigorous patch-testing.”
Wolfgang Kandek, CTO at Qualys, said bulletin number one would be the highest priority as it is for a critical vulnerability affecting all versions of Internet Explorer (6,7,8 and 9) on their respective platforms, XP, 2003, Win7 and 2008, both 32- and 64-bit.
“Bulletin two is the second most critical and updates the Windows operating system, again encompassing all versions, both 64- and 32-bit. Bulletin three is a critical update to the .NET framework. Bulletin four will be challenging as it addresses a wide variety of applications including server-side software. It is critical and applies to all versions of Microsoft Office, but also to SQL Server and other Microsoft server products,” he said.
Last week, Adobe announced plans to fix security flaws in its Reader and Acrobat software. Its scheduled quarterly update is also due to arrive today.