Microsoft today announced it will deliver seven security updates to customers next week, including an almost-habitual one for Internet Explorer (IE), and others for Windows, Office and Lync, the company's communications server software.
Before then, Windows 8.1 devices that rely on Windows Update to obtain patches must have moved to Windows 8.1 Update, an interim upgrade Microsoft shipped in early April.
[ Windows 8 left you blue? Then check out Windows Red, InfoWorld's plan to fix Microsoft's contested OS. | Want a new PC? InfoWorld picks the 12 best Window 7 PC models available today. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]
The IE update, one of two classified as "critical," Microsoft's most serious threat ranking, will include a patch for a vulnerability that went partially public last month after a bug bounty program tired of waiting for Redmond to fix the flaw.
Two weeks ago, HP TippingPoint's Zero Day Initiative (ZDI) revealed some details about the IE bug after its 180-day grace period had expired without Microsoft providing a patch. Microsoft acknowledged that the flaw existed, but said it had not received reports of the vulnerability being exploited in the wild. The company repeated that claim today.
The other critical update will patch all still-supported versions of Windows, ranging from Windows Server 2003 to Windows 8.1. Like the IE "bulletin" -- Microsoft's term for an update package that patches one or more vulnerabilities -- the critical one for Windows was tagged as "remote code execution" (RCE) in today's advance notification. That meant cyber criminals could, if they managed to exploit the bug, compromise an unpatched PC, then plant malware on it, steal information from it or use it as part of a botnet constructed from hijacked systems.
That bulletin will also affect Office 2007 and 2010 on Windows, as well as various versions of Lync 2010 and Lync 2013.
"Given the programs, [the vulnerability] is a shared component that has an impact across a variety of platforms," said Chris Goettl, a product manager at patch management vendor Shavlik, in an email Thursday. "This looks like an RCE that would be executed through some sort of phishing campaign to get users to click a link or open a file. Given the critical rating, it wouldn't surprise me if there's an added element to this that makes it more dangerous than your standard phishing attack. It's also possible that Microsoft has seen some attacks in the wild."
Others followed Goettl in putting the update in the spotlight.
"[Because] it is rated only 'Important' in Office, [it is likely] that it is a file-based vulnerability. Our bet is on a graphics format vulnerability, but we will see next Tuesday. Keep an eye on this one," advised Wolfgang Kandek, CTO of security vendor Qualys, in an email.
Although the information Microsoft provided on next week's two critical updates suggests that vulnerabilities also exist in the now-retired Windows XP, or in the versions of IE able to run on the 14-year-old OS, Windows XP will not receive those fixes.