Microsoft to release three critical patches among a bundle of nine on next week's Patch Tuesday.
According to Trustworthy Computing spokesperson Angela Gunn, the Tuesday July 10th release is scheduled to include nine bulletins to address 16 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer and Visual Basic for Applications.
The critical patches affect two Windows patches and one for both Internet Explorer and Windows, all fix a remote code execution flaw. The remaining ‘important' bulletins address flaws in Windows, Office, Sharepoint and Office for the Mac.
Microsoft also said that it would release an updated version of its Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center next week.
Andrew Storms, director of security operations at nCircle, said: “Looks like we are going to get some unanticipated Internet Explorer fireworks this month. Usually, Microsoft patches Internet Explorer every other month, and we just got a cumulative update in June. That's why it's so surprising to see that IE9, the 'most secure' version of Internet Explorer, will be patched next week. It's pretty safe to say this bulletin will patch something pretty serious.
“On June 12th, Microsoft issued a security advisory for their core XML services, but there's no mention of this bug being patched in today's notification. Usually, if a bug with an advisory is going to be patched, MSRC will mention it in their advance notification blog post. If Microsoft doesn't patch this bug it's going to cause some heartburn for IT security teams. We've already seen reliable reports that the exploit for this bug has been included in several popular attack tool kits."
He said: “This bulletin will be the highest priority for users, at least for those who did not apply Microsoft's FixIt supplied in the advisory. Bulletin two is for Internet Explorer, and is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months. The bulletin only applies to IE9 and is thus limited to Vista and above. Bulletin three is ‘critical' for all desktop operating systems, XP, Vista and WIndows 7; for all others it is rated only ‘moderate'.”
Paul Henry, security and forensic analyst at Lumension, said that this release means that Microsoft has released 51 bulletins during 2012, about on par with 2011, which saw 56 bulletins at this time last year.
“Looking at the bulletins, one of the first things that jumps out is that these really impact the entire family of products, from XP all the way to 2008. This is really a weird mix of patches, impacting both legacy and current generation software with critical issues,” he said.