Microsoft today announced it will deliver seven security updates to customers next week, including an almost-habitual one for Internet Explorer (IE), and others for Windows, Office and Lync, the company's communications server software.
Before then, Windows 8.1 devices that rely on Windows Update to obtain patches must have moved to Windows 8.1 Update, an interim upgrade Microsoft shipped in early April.
The IE update, one of two classified as "critical," Microsoft's most serious threat ranking, will include a patch for a vulnerability that went partially-public last month after a bug bounty program tired of waiting for Redmond to fix the flaw.
Two weeks ago, HP TippingPoint's Zero Day Initiative (ZDI) revealed some details about the IE bug after its 180-day grace period had expired without Microsoft providing a patch. Microsoft acknowledged that the flaw existed, but said it had not received reports of the vulnerability being exploited in the wild. The company repeated that claim today.
The other critical update will patch all still-supported versions of Windows, ranging from Windows Server 2003 to Windows 8.1. Like the IE "bulletin" -- Microsoft's term for an update package that patches one or more vulnerabilities -- the critical one for Windows was tagged as "remote code execution" (RCE) in today's advance notification. That meant cyber criminals could, if they managed to exploit the bug, compromise an unpatched PC, then plant malware on it, steal information from it or use it as part of a botnet constructed from hijacked systems.
That bulletin will also affect Office 2007 and 2010 on Windows, as well as various versions of Lync 2010 and Lync 2013.
"Given the programs, [the vulnerability] is a shared component that has an impact across a variety of platforms," said Chris Goettl, a product manager at patch management vendor Shavlik, in an email Thursday. "This looks like an RCE that would be executed through some sort of phishing campaign to get users to click a link or open a file. Given the critical rating, it wouldn't surprise me if there's an added element to this that makes it more dangerous than your standard phishing attack. It's also possible that Microsoft has seen some attacks in the wild."
Others followed Goettl in putting the update in the spotlight.
"[Because] it is rated only 'Important' in Office, [it is likely] that it is a file-based vulnerability. Our bet is on a graphics format vulnerability, but we will see next Tuesday. Keep an eye on this one," advised Wolfgang Kandek, CTO of security vendor Qualys, in an email.
Although the information Microsoft provided on next week's two critical updates suggests that vulnerabilities also exist in the now-retired Windows XP, or in the versions of IE able to run on the 14-year-old OS, Windows XP will not receive those fixes.
However, Microsoft will update a cousin of XP -- Windows Embedded POSReady 2009, designed for point-of-sale systems and automated teller machines (ATMs) -- and again prompt some to hack their copies of Windows XP SP3 to trick Windows Update into delivering the fixes.
Microsoft will issue the month's security updates on Tuesday, June 10.
Before that, most customers with Windows 8.1-powered PCs or tablets must have applied April's Windows 8.1 Update. Anyone who does not will be unable to obtain patches through Windows Update.
Microsoft originally gave everyone just five weeks to put Windows 8.1 Update in place or face a sans-patch future, but quickly backed off under pressure from corporate customers, giving them a three-month extension.
Next, just 24 hours before May's security slate was to ship, Microsoft ceded even more ground by extending the deadline for consumers to June 10.
Ironically, laggards still running 2012's original Windows 8 will continue to receive all appropriate patches; they have until January 2016 to migrate to Windows 8.1.
Customers have been both confused and frustrated by the Windows 8.1-to-Windows 8.1 Update requirements. Microsoft has done nothing to clear the air, and has continued to assert that the requirement was security related, an explanation many saw as arbitrary because Windows 8 users have been given a pass.
Microsoft will ship the seven security updates on June 10 at approximately 1 p.m. ET (10 a.m. PT).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.