Microsoft to Target 12 Flaws, IE Zero-Day in Patch Tuesday
Redmond clamps down on a problem that surfaced last month in older editions of Internet Explorer.
Microsoft plans to issue six patches that fix a total of a dozen vulnerabilities next week in the next installment of its "Patch Tuesday" roundup of fixes.
As usual, Microsoft so far isn't revealing much about the exact flaws that it will address next week. The company releases its monthly batch of bug fixes on the second Tuesday of each month--earning the event the nickname of "Patch Tuesday." On the preceding Thursday, the company sends out an advance notice to IT administrators and other subscribers to give then a general idea of what will be fixed in the following week's patch drop.
Next week's patches will target security holes in Windows, Internet Explorer (IE), and Microsoft Office products. Three of them are rated at Microsoft's maximum threat level of "critical," while the other three rank one tier down at "important."
"To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE. On the Office side, the bulletins impact Project, Word ,and Works 8.5. All of the updates for Windows will require a restart, so please plan accordingly," Microsoft's Security Response Center team said in a blog post.
The post goes on to explain that one of Tuesday's patches will fix a zero-day flaw in older versions of IE that surfaced after November's Patch Tuesday drop.
Last week, Microsoft warned about the flaw in a Security Advisory.
"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 on all supported versions of Microsoft Windows are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected," the company said in its earlier advisory.
The company has also said that proof-of-concept code to exploit the flaw has already become available.
Microsoft's move to reveal its plans to fix the flaw ahead of Patch Tuesday may signal the severity of the issue: The company rarely details what vulnerabilities it's specifically fixing in an upcoming patch drop until the day of Patch Tuesday itself.
Otherwise, however, the upcoming slate of fixes appears relatively typical for Microsoft's regularly scheduled patches. Patch Tuesday roundups often clock in at a handful of patches--such as occurred last month--although in recent months they've also ranged into far more extensive lists of updates. Such was the situation in October, when Microsoft patched its largest number of bugs in a single month.
Today's advance notice on next week's Patch Tuesday also makes no mention of a controversy that raged earlier this week, when U.K. security firm Prevx accused Microsoft of releasing a security update in November that caused a rash of so-called "black screen" problems for users.
Microsoft came out swinging in response, stating flatly that, after testing its November updates, none caused any problems like the ones Prevx described. That ultimately caused the U.K. company to apologize and withdraw its accusations.
The conclusion of that spat still doesn't explain whether many--or if any--users were actually impacted by the black screen, or what might have caused it.
One of the possibilities is that the kinds of Windows registry changes blamed for the black screens could be caused by malware attacks, according to Microsoft.
Stuart Johnston is a frequent contributor to Internet.com. He is based in Washington.