Microsoft today said it will deliver nine security updates to customers next week, patching Internet Explorer (IE) and all versions of Windows in a pair of critical fixes, and also quashing bugs in OneNote, SharePoint Server and SQL Server.
Business customers running Windows 8.1 must have deployed April's Update 1 before next Tuesday, Aug. 12, to receive the month's patches.
The IE update, one of two classified as "critical" -- Microsoft's most serious threat ranking -- will patch all supported versions of the browser, from the aged IE6 on Windows Server 2003 to the newest, IE11, on Windows 7, Windows 8 and Windows 8.1.
Also in the mix for next week's "Patch Tuesday" but not called out in today's advanced notification, will be changes to IE8, IE9, IE10 and IE11: After the update, those browsers will block all outdated versions of the Java ActiveX control, or plug-in. Microsoft revealed the plug-in blocking in a separate announcement yesterday.
Microsoft has been on an IE patching tear of late. In May, it patched 60 vulnerabilities in the browser, while June's update fixed 24, both above-average tallies for an IE security update. Microsoft did not reveal the exact number of individual patches in this month's IE bulletin.
Security experts recommended customers apply the IE update before any others because of the browser's widespread use, particularly in the workplace, and also because it is often the target of choice for cyber criminals trying to plant malware on PCs. "First on our radar this month is an update for IE," said Russ Ernst, direct of product management for Lumension, in an email today.
"I expect we will see over 10 vulnerabilities, mostly relating to memory corruption, being resolved in this [month's IE update]," said Chris Goettl, product manager for patch-management vendor Shavlik, also in a Thursday email.
The bulk of the May and June IE updates comprised memory corruption bug fixes.
The second critical update will patch one or more remote code executable vulnerabilities in Windows 7, Windows 8 and Windows 8.1, which collectively power nearly 70% of all in-use Windows PCs.
Ross Barrett, senior manager of security engineering at Rapid7, pegged the Windows update, designated "Bulletin 2" by Microsoft, as "more interesting" than the IE fixes. "This points to an issue either in an authentication mechanism, or a service that might be listening remotely," Barrett contended.
Seven of the scheduled updates were tagged "important," the threat rating immediately below critical, and will affect some or all versions of Windows; OneNote 2007 Service Pack 3 (SP3); SQL Server 2008, 2008 R2, 2012 and 2014; Windows Media Center TV Pack for Windows Vista; and SharePoint Server 2013.
Sign up for CIO Asia eNewsletters.