Microsoft today said it will ship 11 security updates next week to patch critical vulnerabilities in Windows, Internet Explorer (IE), Office and Exchange, including one meant to stymie active attacks the company confirmed a month ago.
With the 11 slated for release on Dec. 10, Microsoft's update tally for the year will reach 106, tying the record from 2010 and representing a 28% increase over 2012.
Five of the updates outlined in today's Patch Tuesday advance notification will be marked "critical," the top ranking in Microsoft's scoring system; the remaining six will be labeled "important," one step down in severity.
"IE is the 'of course patch first' update," said Andrew Storms, director of DevOps at San Francisco-based security company CloudPassage.
The critical IE update will affect all currently-supported versions of Microsoft's browser, from the aging IE6 to the just released IE11. The upcoming update means that Microsoft will have patched IE every month of 2013, a feat impossible prior to July 2012, when the Redmond, Wash. company applied fixes only on alternating months.
Microsoft will be forced to support the half-dozen flavors of IE through at least April, when it will finally retire IE6, the oft-derided browser that debuted more than 12 years ago.
"Talk about legacy costs," said Storms in an instant message interview Thursday. "We think about the operational costs for IT departments to manage and maintain X number of old systems, [but] imagine Microsoft having to do the same for all their customers."
Another critical update will patch one or more flaws in a combination of Windows and Office editions to shut down ongoing attacks reported to Microsoft by McAfee researchers in early November. Microsoft issued a security advisory on Nov. 5 that described the threat and offered a temporary fix.
Two of the remaining three critical updates will affect Windows, while the third will patch Exchange, the business-critical email server software that most businesses rely on for delivering messages.
Storms recommended that Microsoft's customers immediately install the critical Windows updates, but hedged on the one for Exchange.
On one hand, the criticality of the Exchange update would seem to demand attention. But Storms pointed out that the decision may be tougher than at first glance, since IT staffs are often short-handed at the end of the year and leery of breaking email at any time.
"Taking the risk of patching and rebooting Exchange at the end of the year will surely create a lot of opinions inside meeting rooms," said Storms, referring to discussions that will take place next week about whether to patch the email servers.
"If we get lucky, [the Exchange vulnerability] will be in Oracle's Outside In, and there will be an easy mitigation," Storms added.
Sign up for CIO Asia eNewsletters.