Microsoft today said it will issue 16 security updates next week to patch 34 vulnerabilities in Windows, Internet Explorer (IE), Office, SQL Server and other products.
"It's the usual mishmash for an even-numbered month," said Andrew Storms, director of security operations at nCircle Security. "But to some degree, we expected a big month. And they stayed true to form."
Microsoft typically releases a larger number of updates in even-numbered months, and fewer in odd-numbered months. In May, for instance, Microsoft shipped just two updates -- the company called them "bulletins" -- to patch only three vulnerabilities.
Of the 16 updates, nine will be rated "critical," the highest threat label in Microsoft's four-step scoring system, while the remaining seven will be marked "important," the second-most-dire ranking.
Next week's Patch Tuesday bulletin count will be the second-largest this year, following April's collection of 17 updates, but beating February's total of 12 .
The number of bugs Microsoft plans to quash will also be the second-highest in 2011: Microsoft fixed a record 64 flaws in its software portfolio two months ago.
The company also regularly updates IE on even-numbered months, and will patch its browser next week in two separate bulletins, an unusual move. Both IE updates were labeled critical.
All versions of IE will receive one of the updates, including IE9, the newest edition, while the second IE bulletin will affect only IE8 and older versions.
Next Tuesday's IE9 update will be the browser's first since the browser debuted in mid-March , as well as the first pegged critical.
"So, basically it had a critical bug the day it shipped," said Storms.
Storms was referring to Microsoft's testing process, which usually lasts two months or more. That timeline would have precluded an IE9 patch in April, the first update scheduled after the browser shipped.
Beyond the two updates that affect IE, 10 target Windows, two will address bugs in Office -- the Excel spreadsheet and InfoPath, Office's form maker, will receive fixes -- one will patch the Forefront security client, and another will update the .Net and Silverlight platforms bundled with Windows.
The update that tackles one or more flaws in InfoPath will also patch SQL Server and Visual Studio development toolset, Microsoft said in the notes it published today announcing next Tuesday's slate.
Several of the updates will patch Windows 7, Microsoft's newest operating system that continues to gain users. According to Web metrics company Net Applications, Windows 7 now accounts for 26% of all operating systems currently in use.
Eight of the 10 Windows updates affect Windows 7, with five of those marked critical. The other three were tagged important by Microsoft.
"The number of Windows 7 updates isn't surprising, but par for the course," said Storms. "A lot more people are moving to Windows 7, and the bugs are going to follow the user base."
Storms suspected that the updates for Silverlight, .Net and Visual Studio may have something to do with GDI+ (graphics device interface), the core component that handles graphics rendering in Windows. "It may be something that Microsoft needs to fix so developers can redistribute updated software," Storms speculated. "If so, it wouldn't be surprising, but it would also be disappointing. Microsoft's had its fair share of GDI vulnerabilities."
Microsoft last patched GDI in April.
Also today, Adobe announced that it will ship updates for Reader and Acrobat on Tuesday. Although Adobe did not specify how many bugs will be patched in the update, several in Flash Player -- Adobe's popular browser plug-in -- that have been patched previously still must be addressed in Reader X , the newest edition that includes anti-exploit "sandbox" technology.how