Microsoft today said it will ship eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), with the one aimed at IE plugging the hole attackers have been exploiting for months.
"The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505," confirmed Dustin Childs on the Microsoft Security Response Center (MSRC) blog today.
Security experts identified the IE update as the one to deploy first, citing the fact that one of the vulnerabilities has been used by cyber criminals in targeted attacks against users in Japan and Taiwan.
"IE is always top of the list," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, in an interview today.
On Sept. 17, Microsoft confirmed that hackers were exploiting a critical unpatched vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9). The bug, however, existed in all versions of the browser, including the 12-year-old IE6 and the newest IE11.
Over the next two weeks, security companies reported that attacks had been aimed at Japanese and Taiwanese organizations since July. And earlier this week, exploit code went public as a working module was added to the open-source Metasploit penetration framework. Researchers predicted that the Metasploit appearance would result in an increase in attacks as less-capable hackers copied the code and added it to their weaponized toolkits.
"Once it went into Metasploit, I anticipated an early release of a patch by Microsoft," said Storms today. "Obviously the patch is done, but Microsoft's and its partners' telemetry must have shown that there were no reasons to go out-of-band."
Historically, Microsoft has issued "out-of-band" updates -- those outside the normal monthly release schedule -- only when it believes large numbers of its customers are at risk. The company has never publicly disclosed how it decides when to ship an out-of-band security update.
The early date of October's Patch Tuesday -- always the second Tuesday of the month -- may have played a part in Microsoft's decision to hold the update and not go out-of-band, Storms said.
The IE update was just one of four rated "critical" by Microsoft. The remaining three critical updates were all aimed at Windows, including one that applied to the newest Windows 8, Windows RT, Windows 8.1 and Windows RT 8.1, according to Microsoft's advanced notification distributed today.
Experts recommended that customers install the Windows updates as soon as possible after their release. "Bulletins 2 and 3 are through the stack and might end up rating more attention than the IE update," warned Storms.
Microsoft said Bulletin 3 did not affect Windows 8.1 or Windows RT 8.1, but that Bulletin 2 did.
Sign up for CIO Asia eNewsletters.