Microsoft today said it will ship just five security updates next week, the fewest in any month so far this year, to patch 23 vulnerabilities in Internet Explorer (IE), Windows and Office.
The update for Office will address a bug that is now being exploited by hackers, a researcher claimed.
"There have been limited attacks using this vulnerability in the wild," said Paul Henry, a security and forensic analyst at Scottsdale, Ariz.-based Lumension, in an email. "Although it's not considered to be publicly known, it is being actively exploited to some extent." The exploits have been distributed in malicious files sent to potential victims via email, Henry added.
According to the advanced notice Microsoft published Thursday, Office will be patched by Bulletin 5, a placeholder moniker that will receive its official designation next week. Bulletin 5 will update Office 2003, the 10-year-old version that gets its retirement papers in April 2014, and the latest edition for OS X, Office for Mac 2011.
Andrew Storms, director of security operations at Tripwire's nCircle Security, was stumped by the update's aim at versions separated not only by operating systems, but also by eight years. "I have no idea," said Storms when asked what Office 2003 and Office for Mac 2011 had in common that wasn't also included in later suites for Windows, such as Office 2007, 2010 or 2013.
Even though the Office bug is being exploited at the moment, Henry, Storms and others put the spotlight instead on Bulletin 1, the IE update.
"You don't need to wait until Tuesday to set your priorities," Storms said. "It's obviously [the] IE [update] at the top of the list."
Bulletin 1 will patch all supported versions of IE, ranging from the 12-year-old IE6 to 2012's IE10. Bulletin 1 was the only one pegged as critical, the highest threat ranking in Microsoft's four-step system. Henry said Bulletin 1 will patch 19 of the 23 vulnerabilities scheduled to be addressed next week in the five updates.
"If left unpatched, this vulnerability can cause remote code execution, which implies that an attacker can take control of the victim computer if the victim browses to a malformed website using IE," explained Amol Sarwate, director or Qualys' vulnerability lab, in an email. "Since the browser is a window to the Internet, IE users should apply this patch as soon as it is released."
Storms put it more succinctly. "These vulnerabilities could be used in drive-by attacks," he said, describing attacks that lurk on malicious or compromised websites, and trigger as soon as a vulnerable browser visits. "But then, I can't think of an IE vulnerability that wasn't a drive-by."
Sign up for CIO Asia eNewsletters.