Microsoft slates hefty Patch Tuesday to fix 34 flaws

Second-biggest collection this year includes first critical vulnerability in IE9

Microsoft will issue 16 security updates next week to patch 34 vulnerabilities in Windows, Internet Explorer (IE), Office, SQL Server and other products.

"It's the usual mishmash for an even-numbered month," said Andrew Storms, director of security operations at nCircle Security. "But to some degree, we expected a big month. And they stayed true to form."

Microsoft typically releases a larger number of updates in even-numbered months, and fewer in odd-numbered months. In May, for instance, Microsoft shipped just two updates -- the company called them "bulletins" -- to patch only three vulnerabilities.

Of the 16 updates, nine will be rated "critical," the highest threat label in Microsoft's four-step scoring system, while the remaining seven will be marked "important," the second-most-dire ranking.

Next week's Patch Tuesday bulletin count will be the second-largest this year, following April's collection of 17 updates, but beating February's total of 12.

The number of bugs Microsoft plans to quash will also be the second-highest in 2011: Microsoft fixed a record 64 flaws in its software portfolio two months ago.

The company also regularly updates IE on even-numbered months, and will patch its browser next week in two separate bulletins, an unusual move. Both IE updates were labeled critical.

All versions of IE will receive one of the updates, including IE9, the newest edition, while the second IE bulletin will affect only IE8 and older versions.

Next Tuesday's IE9 update will be the browser's first since the browser debuted in mid-March, as well as the first pegged critical.

"So, basically it had a critical bug the day it shipped," said Storms.

Storms was referring to Microsoft's testing process, which usually lasts two months or more. That timeline would have precluded an IE9 patch in April, the first update scheduled after the browser shipped.

Beyond the two updates that affect IE, 10 target Windows, two will address bugs in Office -- the Excel spreadsheet and InfoPath, Office's form maker, will receive fixes -- one will patch the Forefront security client, and another will update the .Net and Silverlight platforms bundled with Windows.

The update that tackles one or more flaws in InfoPath will also patch SQL Server and Visual Studio development toolset, Microsoft said in the notes it published today announcing next Tuesday's slate.

Several of the updates will patch Windows 7, Microsoft's newest operating system that continues to gain users. According to Web metrics company Net Applications, Windows 7 now accounts for 26% of all operating systems currently in use.

Eight of the 10 Windows updates affect Windows 7, with five of those marked critical. The other three were tagged important by Microsoft.

"The number of Windows 7 updates isn't surprising, but par for the course," said Storms. "A lot more people are moving to Windows 7, and the bugs are going to follow the user base."

Storms suspected that the updates for Silverlight, .Net and Visual Studio may have something to do with GDI+ (graphics device interface), the core component that handles graphics rendering in Windows. "It may be something that Microsoft needs to fix so developers can redistribute updated software," Storms speculated. "If so, it wouldn't be surprising, but it would also be disappointing. Microsoft's had its fair share of GDI vulnerabilities."

Microsoft last patched GDI in April.

Also today, Adobe announced that it will ship updates for Reader and Acrobat on Tuesday. Although Adobe did not specify how many bugs will be patched in the update, several in Flash Player -- Adobe's popular browser plug-in -- that have been patched previously still must be addressed in Reader X, the newest edition that includes anti-exploit "sandbox"

The 16 updates from Microsoft will be released at approximately 1 p.m. ET on June 14.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about Adobe SystemsAndrew Corporation (Australia)AppleExcelMicrosoftnCircleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts