Skip the navigation

Microsoft slates IE bug fix for next week

Will patch 23 vulnerabilities in Windows, its browser and other software

October 6, 2011 03:18 PM ET

Computerworld - Microsoft today said it will ship eight security updates next week to patch 23 vulnerabilities in Windows, Internet Explorer (IE) and several other products in its portfolio.

The company sketched out the upcoming patches in an advanced notice of Patch Tuesday's line-up.

Two of the eight updates, which Microsoft refers to as "bulletins," will be rated "critical," the most-serious threat ranking in its scoring system. The remaining six will be labeled "important," the next-most-severe tag. Most of the bulletins, including four of the six pegged as important, are to patch vulnerabilities that attackers could exploit to execute malicious code, and potentially commandeer the computer, the company acknowledged.

Microsoft said that the eight updates will fix 23 security flaws. The company usually delivers a larger number of updates that patch a higher number of vulnerabilities in even-numbered months, leaving a lighter load for odd-numbered months.

In August, for example, Microsoft issued 13 updates that patched 22 vulnerabilities, while in September it delivered five updates that quashed 15 bugs.

This month's tallies were slightly sub-par for an even-numbered month: So far this year, Microsoft has patched an average of 26.2 bugs in those months. In odd-numbered months, Microsoft fixed an average of 9.4 flaws.

"In 2010, the up and down from odd- to even-numbered months was more recognizable," said Andrew Storms, director of security operations at nCircle Security. "This year, the numbers have been flatter lately. They're in the double digits almost every month. So IE is really the difference. We know we get an IE update every other month."

Storms is right: Since July, Microsoft has patched an average of 18.5 vulnerabilities in the odd-numbered months, and 22.5 bugs in the even-numbered months.

The IE update will probably be the one most users should deploy first, said Storms, advice he and other security experts almost always give every other month. That update is one of the two rated critical by Microsoft, and affects all currently-supported versions of the browser, including this year's IE9.

"I doubt there will be a story this month from Microsoft about how IE9 is more secure than its other browsers," said Storms, referring to the critical label Microsoft assigned to the new version's update.

The other critical bulletin will patch one or more vulnerabilities in the .Net framework included with every version of Windows, from 2001's XP to 2009's Windows 7. The same update will also plug a hole in the Silverlight 4 development tool.

Marcus Carey, a security researcher with Rapid7, pointed out that the .Net and Silverlight update sounds similar to MS11-039, a critical bulletin Microsoft issued in June.

Our Commenting Policies