Microsoft plans to deliver ten patches, six of them “critical,” next Tuesday when it makes its scheduled monthly patch drop — on what’s known as “Patch Tuesday.”
On the list of serious bugs to patch this time around is one in Internet Explorer (IE) that even affects IE8, which just shipped in March.
The disclosure is part of Microsoft’s (NASDAQ: MSFT) pre-notification system meant to provide some regularity as well as advance warning to IT customers as to what products they’ll need to fix the following week.
June’s Patch Tuesday drop will be about average in terms of the number of bugs Microsoft fixed.
While Microsoft does not disclose the details of security holes until it patches them, the IE vulnerability is rated critical — the highest of four levels on its severity rating scale. That normally means that a user could be infected by simply clicking a link or, sometimes, by merely visiting a malicious Website.
The IE bug is rated critical for all supported versions of IE running on Microsoft’s client Windows platforms, from IE 5.01 on Windows 2000 Service Pack 4 (SP4) up through IE8 running on Windows Vista SP2. That means XP clients are also at risk. Both 32-bit and 64-bit editions of XP and Vista are at risk.
Server versions of Windows are not vulnerable to the IE bug. However, Windows 2000 Server SP4 is vulnerable to a pair of critical security holes Microsoft is fixing in Windows. For other versions of Windows, Microsoft only ranks these two bugs as “important” or “moderate” — the second and third highest levels, respectively, of Microsoft’s four-tier rating system.
Microsoft also plans next week to patch critical holes in two Office applications: Excel 2000 SP3 and Word 2000 SP3. All of the other versions of Excel and Word are only rated “important.”
In addition, the company has four other patches for Windows coming but those are only rated as important.
However, users who were hoping last month’s single bug fix, for a zero-day hole in Windows’ DirectX streaming media technologies, was a sign of things to come, will be disappointed, says one observer.
“Contrary to speculations in the security community, last month’s single bulletin appears to have been an aberration rather than a sign that the patch burden for Microsoft products is diminishing,” Tas Giakouminakis, CTO of security firm Rapid7, told InternetNews.com in an e-mail. “The 10 bulletins to be released in June are more in line with the historical number of monthly vulnerabilities,” he added.