Microsoft on Thursday said it would deliver nine security updates next week, four of them critical, to patch 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net, and Silverlight.
This year's February Patch Tuesday will feature three fewer updates and one less patch than 2011's.
[ Windows 7 is making huge inroads into business IT. But with it comes new security threats and security methods. InfoWorld's expert contributors show you how to secure the new OS in the "Windows 7 Security Deep Dive" PDF guide. ]
Four of the nine updates were tagged "critical," the highest threat ranking in Microsoft's four-step system, while the other five were marked "important," the second-level rating. All of the critical updates and two of those pegged important will patch bugs that Microsoft admitted could be exploited by attackers to hijack computers and plant malware on PCs.
One interesting thing in today's advance notification, said Andrew Storms, director of security operations at nCircle Security, was the impact on Windows Server 2008 R2, Microsoft's newest server operating system.
"Seven Windows- and IE-related bulletins are applicable to Server 2008 R2, but Windows XP [32-bit] has only four. It's another lopsided month," said Storms, referring to past Microsoft claims that older software receive more security updates than newer titles.
That upside-down pattern has been prevalent lately. "If it keeps up, pretty soon 'lopsided' won't be lopsided," Storms said in an interview.
Another sign is the difference in the number of bulletins that affect Windows XP and Windows 7: One critical update is not applicable to the 10-year-old Windows XP, but does affect both 2007's Windows Vista and 2009's Windows 7.
Storms and several other security experts who weighed in via email unanimously pointed to the IE update as the one users will want to deploy first.
Microsoft patches its browser every other month.
"Last month, we saw how quickly attackers are incorporating browser-based attacks into their toolkits," Wolfgang Kandek, chief technology officer of Qualys, said in an email today. "An exploit for MS12-004 was detected a mere 15 days after Patch Tuesday."
MS12-004 was issued Jan. 10 to quash a pair of bugs in Windows Media Player that could be exploited using "drive-by" attacks triggered when users simply browse to a malicious site. Two weeks later, antivirus firm Trend Micro said browser-based attacks leveraging a Media Player bug were already circulating.
Marcus Carey, a security researcher at Rapid7, agreed with Kandek. "We're seeing a great many browser patches from Microsoft these days because researchers and attackers have realized that browser exploits have the most potential for harm and are currently the best attack surface," Carey said.
Next Tuesday's IE update will address one or more vulnerabilities in all versions of the browser, from the decade-old IE6 to last year's IE9. Storms pointed out that IE6's update is graded as "moderate," third on Microsoft's scale, while the newer browsers' patches will be pegged critical or important, depending on the version and operating system.
"The conclusion we can draw is that while IE6 is still vulnerable, [the bug] may be harder to get at than the other versions," said Storms. "But they'll patch it anyway."