Microsoft on Monday unexpectedly added two more critical security updates to the list it will deliver tomorrow, including one for all versions of its Internet Explorer (IE) and another that will affect the soon-to-be-retired Windows XP.
"These updates have completed testing and will be included in tomorrow's release," said Dustin Childs, a spokesman for Microsoft's Trustworthy Computing group, in a short addendum to a blog originally published last Thursday.
Then, Microsoft said it would have just five security updates, two critical, that would quash vulnerabilities in Windows and the company's Exchange-based Forefront Protection 2010 security software.
The last-minute addition of two more critical updates, which brought the total to seven, four of them with Microsoft's highest-level threat rating, was unusual, said Andrew Storms, director of DevOps at San Francisco-based CloudPassage. But he took Childs at the latter's word about why the new ones squeezed onto the slate.
"They were probably busy testing the new updates, but hadn't confirmed they were good until this morning," said Storms in an interview conducted using instant messaging.
According to Microsoft's revised advance notification for Tuesday's patches, the two bulletins will address one or more vulnerabilities in IE and one or more in Windows, specifically VBScript (officially known as Visual Basic Scripting Edition), which is packaged with every version of the OS, both client and server. The two bulletins were tagged as "remote code execution," meaning attackers who crafted and delivered exploits against unpatched PCs would be able to hijack a machine and plant malware on it.
Bulletin 1 is now dedicated to IE, Microsoft said, and will update every version, from the soon-to-be-retired IE6 to the newest IE11 on Windows 8.1 and Windows RT 8.1.
Storms and other security experts had noted last week that Microsoft had omitted an IE update for two months running; the sudden appearance of a patch job means that that is no longer true.
"I think that most likely they wanted to get a number of bugs [in IE] fixed this month, but in terms of testing and timing were right on the edge," Storms said, guessing at the reasons why Microsoft first said it had no IE update, then said it did. "It is a little questionable since they did claim to have all those extra testing resources [for IE]. Makes me wonder why it took so long, or what about the timing threw them off the regular cadence."
Most security professionals classify an IE update as the one to deploy first, because of IE's widespread use and the prevalence of browser-based attacks. Storms said that is the case here.
Sign up for CIO Asia eNewsletters.