Microsoft to patch 23 vulnerabilities next week

Microsoft will ship eight security updates next week to patch 23 vulnerabilities in Windows, Internet Explorer (IE) and several other products in its portfolio, the company announced this morning.

Microsoft sketched out the upcoming patches in an advanced notice of Patch Tuesday's line-up.

Two of the eight updates, which Microsoft refers to as "bulletins," will be rated "critical," the most-serious threat ranking in its scoring system. The remaining six will be labeled "important," the next-most-severe tag. Most of the bulletins, including four of the six pegged as important, are to patch vulnerabilities that attackers could exploit to execute malicious code, and potentially commandeer the computer, the company acknowledged.

Microsoft said that the eight updates will fix 23 security flaws. The company usually delivers a larger number of updates that patch a higher number of vulnerabilities in even-numbered months, leaving a lighter load for odd-numbered months.

In August, for example, Microsoft issued 13 updates that patched 22 vulnerabilities, while in September it delivered five updates that quashed 15 bugs.

This month's tallies were slightly sub-par for an even-numbered month: So far this year, Microsoft has patched an average of 26.2 bugs in those months. In odd-numbered months, Microsoft fixed an average of 9.4 flaws.

"In 2010, the up and down from odd- to even-numbered months was more recognisable," said Andrew Storms, director of security operations at nCircle Security. "This year, the numbers have been flatter lately. They're in the double digits almost every month. So IE is really the difference. We know we get an IE update every other month."

Storms is right: Since July, Microsoft has patched an average of 18.5 vulnerabilities in the odd-numbered months, and 22.5 bugs in the even-numbered months.

The IE update will probably be the one most users should deploy first, said Storms, advice he and other security experts almost always give every other month. That update is one of the two rated critical by Microsoft, and affects all currently-supported versions of the browser, including this year's IE9.

"I doubt there will be a story this month from Microsoft about how IE9 is more secure than its other browsers," said Storms, referring to the critical label Microsoft assigned to the new version's update.

The other critical bulletin will patch one or more vulnerabilities in the .Net framework included with every version of Windows, from 2001's XP to 2009's Windows 7. The same update will also plug a hole in the Silverlight 4 development tool.

Marcus Carey, a security researcher with Rapid7, pointed out that the .Net and Silverlight update sounds similar to MS11-039 , a critical bulletin Microsoft issued in June.

"When exploit developers look for bugs disclosed in products, they usually find similar bugs which result in the same type of vulnerabilities," Carey said. "I'd expect the implications of this one to mirror MS11-039: specifically, that server and client side attacks may be perpetrated through .Net or Silverlight."

Other updates will patch a denial-of-service issue in Microsoft's Host Integration Server, a gateway that connects Windows-based networks with IBM mainframe and mid-range AS/400 systems, and a remote code flaw in Forefront Unified Access Gateway 2010, the company's VPN (virtual private networking) platform that lets enterprise workers connect with corporate applications when outside the office.

Microsoft last quashed a bug in the VPN platform in November 2010.

Last month, Microsoft inadvertently published information about September's security updates four days early. Although it caught the embarrassing error and removed the pages from its website inside an hour, some security researchers grabbed copies before they were deleted.

Storms doesn't expect a repeat performance this month.