Microsoft on Monday unexpectedly added two more critical security updates to the list it will deliver tomorrow, including one for all versions of its Internet Explorer (IE) and another that will affect the soon-to-be-retired Windows XP.
"These updates have completed testing and will be included in tomorrow's release," said Dustin Childs, a spokesman for Microsoft's Trustworthy Computing group, in a short addendum to a blog originally published last Thursday.
Then, Microsoft said it would have just five security updates, two critical, that would quash vulnerabilities in Windows and the company's Exchange-based Forefront Protection 2010 security software.
The last-minute addition of two more critical updates, which brought the total to seven, four of them with Microsoft's highest-level threat rating, was unusual, said Andrew Storms, director of DevOps at San Francisco-based CloudPassage. But he took Childs at the latter's word about why the new ones squeezed onto the slate.
"They were probably busy testing the new updates, but hadn't confirmed they were good until this morning," said Storms in an interview conducted using instant messaging.
According to Microsoft's revised advance notification for Tuesday's patches, the two bulletins will address one or more vulnerabilities in IE and one or more in Windows, specifically VBScript (officially known as Visual Basic Scripting Edition), which is packaged with every version of the OS, both client and server. The two bulletins were tagged as "remote code execution," meaning attackers who crafted and delivered exploits against unpatched PCs would be able to hijack a machine and plant malware on it.
Bulletin 1 is now dedicated to IE, Microsoft said, and will update every version, from the soon-to-be-retired IE6 to the newest IE11 on Windows 8.1 and Windows RT 8.1.
Storms and other security experts had noted last week that Microsoft had omitted an IE update for two months running; the sudden appearance of a patch job means that that is no longer true.
"I think that most likely they wanted to get a number of bugs [in IE] fixed this month, but in terms of testing and timing were right on the edge," Storms said, guessing at the reasons why Microsoft first said it had no IE update, then said it did. "It is a little questionable since they did claim to have all those extra testing resources [for IE]. Makes me wonder why it took so long, or what about the timing threw them off the regular cadence."
Most security professionals classify an IE update as the one to deploy first, because of IE's widespread use and the prevalence of browser-based attacks. Storms said that is the case here.
The VBScript update will affect all versions of Windows, but was rated critical on the client editions such as Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1. On the server side, it was tagged as "moderate," two steps below critical on Microsoft's four-level scoring system.
The new Bulletin 2 means that there will be a critical update for Windows XP tomorrow. That's notable because Microsoft plans to stop publicly patching the nearly-13-year-old operating system after April 8.
Storms believes the IE and VBScript updates are connected.
"I suspect the IE and VBScript [updates] are related, because they may have both been delayed together in their testing," Storms said. "Maybe it's just a coincidence. But two bulletins released at the last minute? That seems related in some way to me."
As Storms pointed out, it's rare that Microsoft adds updates at the last minute, although the company has done the opposite a handful of times, yanking one or more just before Patch Tuesday because its engineers found a glitch.
"I suppose this is better than proactively putting them in the [advanced notification] and then having to pull them a few days later," Storms said.
Microsoft will release this month's security updates on Tuesday around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is [email protected].
Read more about endpoint security in Computerworld's Endpoint Security Topic Center.