Microsoft to Ship 17 patches on Patch Tuesday


Microsoft notified security managers Thursday to watch out for 17 individual security patches coming on the company's December Patch Tuesday event next week, which may be one of the biggest patch releases yet.

That could mean security managers will be even busier than they were just two months ago, when Microsoft (NASDAQ: MSFT) asked them to install one of the largest patch drops ever.

Microsoft published its advance notification for Patch Tuesday in order to give security managers time to plan the company's monthly patch release.

In October, Microsoft issued 16 patches, four of them rated as critical, that fixed a total of 49 separate security flaws.

It's currently unknown how many individual security holes will be fixed in each of the patches when they're released next week. However, only two of the patches, each of which can contain multiple security fixes, are rated "critical" in Microsoft's four-tired severity rankings.

One of December's patches is rated critical for all versions of Windows and Internet Explorer (IE).

Additionally, one security vulnerability that Microsoft will fix Tuesday is a zero-day flaw that affects IE which was discovered just before November's Patch Tuesday drop.

The flaw in IE 6, 7, and 8 could let an attack program completely compromise the user's system. Microsoft published a Security Advisory at the time that included workarounds for IE 8, and said it was working on a fix for the problem.

Now that patch is tested and ready for distribution, according to a Microsoft spokesperson.

"We're going to have an update to fix that next week," the spokesperson said.

Meanwhile, Microsoft has not changed its stance on a zero-day vulnerability in what's called "Protected Mode" that researchers at Verizon Business, a unit of Verizon Communications (NYSE: VZ), announced earlier this week.

Protected Mode was created in order to stop Active X controls or browser add-ons from being installed on a computer without the user's permission. The researchers' white paper says that the feature has a flaw that, in some cases, could be exploited to escalate an attack program's user privileges.

"Protected Mode is not a security boundary – it does not provide direct protection, only a chance for a user to verify an action before it happens," Jerry Bryant, Microsoft group manager for response communications, said in an email to earlier this week.

Microsoft's advance notification for December is available online.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up with security news; follow eSecurityPlanet on Twitter: @eSecurityP.