Microsoft today said it will ship six security updates to customers next week, patching all versions of Internet Explorer (IE) and nearly all supported editions of Windows.
The IE update, one of two classified as "critical" -- Microsoft's most serious threat ranking -- will patch IE6 on Windows Server 2003, IE7, IE8, IE9, IE10 and the newest, IE11.
It's unlikely that July's IE update will match June's in size: Microsoft fixed a record 60 flaws in the browser on June 10. (Originally, Microsoft said it had patched 59 IE bugs last month, but a week later acknowledged it had forgotten to add one to the list, and so upped the count to an even 60.)
Windows 7 users who have not freshened IE11 with a mandatory April update will not receive next week's browser fixes.
According to Thursday's advanced notice, which briefly described the July updates, the second critical bulletin will patch all client editions of Windows -- from Vista to Windows 8.1 -- and all server versions except for those running on systems powered by Intel's Itanium processors. Windows Server 2008 and Server 2012 systems provisioned by installing only the Server Core -- a minimal install with many features and services omitted to lock down the machine -- are also exempt from Bulletin 2, Microsoft said.
Of the remaining four updates, three were labeled "important" by Microsoft -- the threat step below critical -- while the fourth was pegged "moderate." All will offer patches for some or all Windows editions, both on the desktop and in the data center.
Security researchers pointed to the two critical bulletins as the obvious first-to-deploy for most Microsoft customers.
They also remarked on Bulletin 6, the single moderate update, which will patch Microsoft Service Bus for Windows Server. The bus is a messaging and communications service that third-party developers can use to tie their code to Windows Server and Microsoft Azure, the Redmond, Wash. company's cloud service.
"The odd one out this month is the Moderate Denial of Service in 'Microsoft Service Bus for Windows Server,'" said Ross Barrett, senior manager of security engineering at Rapid7, in an email. "It's part of the Microsoft Web Platform package and is not installed by default with any OS version."
Although Microsoft did not mention it in today's advance notice, or in the blog post by the Microsoft Security Response Center (MSRC), enterprises have one more month to deploy April's Windows 8.1 Update and Server 2012 R2 Update before losing patch privileges for devices running Windows 8.1 or servers running 2012 R2.
Hardware powered by Windows 8.1 or Server 2012 R2 must be updated before Aug. 12, the next scheduled Patch Tuesday, to receive that month's updates, as well as any future security fixes.
Or in some cases, even present patches, said Chris Goettl, a program product manager at Shavlik, in an email.
"One thing to watch out for [next week] will be [something similar to] the many exceptions we saw last month," Goettl cautioned. "Many of the updates we saw in June required other updates to be in place, depending on the platform. For those running Windows 8.1 or Server 2012 R2, they need to be prepared for more of these updates to require Update 1 before they can apply them. Microsoft has stated they would delay a hard enforcement until August, but more and more of the patches [have] had variations that required Update 1. So look out for that cut over -- it's coming quick."
Microsoft will ship the six security updates on July 8 at approximately 1 p.m. ET (10 a.m. PT).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.