Microsoft today said it will deliver nine security updates to customers next week, patching Internet Explorer (IE) and all versions of Windows in a pair of critical fixes, and also quashing bugs in OneNote, SharePoint Server and SQL Server.
Business customers running Windows 8.1 must have deployed April's Update 1 before next Tuesday, Aug. 12, to receive the month's patches.
The IE update, one of two classified as "critical" -- Microsoft's most serious threat ranking -- will patch all supported versions of the browser, from the aged IE6 on Windows Server 2003 to the newest, IE11, on Windows 7, Windows 8 and Windows 8.1.
Also in the mix for next week's "Patch Tuesday" but not called out in today's advanced notification, will be changes to IE8, IE9, IE10 and IE11: After the update, those browsers will block all outdated versions of the Java ActiveX control, or plug-in. Microsoft revealed the plug-in blocking in a separate announcement yesterday.
Microsoft has been on an IE patching tear of late. In May, it patched 60 vulnerabilities in the browser, while June's update fixed 24, both above-average tallies for an IE security update. Microsoft did not reveal the exact number of individual patches in this month's IE bulletin.
Security experts recommended customers apply the IE update before any others because of the browser's widespread use, particularly in the workplace, and also because it is often the target of choice for cyber criminals trying to plant malware on PCs. "First on our radar this month is an update for IE," said Russ Ernst, direct of product management for Lumension, in an email today.
"I expect we will see over 10 vulnerabilities, mostly relating to memory corruption, being resolved in this [month's IE update]," said Chris Goettl, product manager for patch-management vendor Shavlik, also in a Thursday email.
The bulk of the May and June IE updates comprised memory corruption bug fixes.
The second critical update will patch one or more remote code executable vulnerabilities in Windows 7, Windows 8 and Windows 8.1, which collectively power nearly 70% of all in-use Windows PCs.
Ross Barrett, senior manager of security engineering at Rapid7, pegged the Windows update, designated "Bulletin 2" by Microsoft, as "more interesting" than the IE fixes. "This points to an issue either in an authentication mechanism, or a service that might be listening remotely," Barrett contended.
Seven of the scheduled updates were tagged "important," the threat rating immediately below critical, and will affect some or all versions of Windows; OneNote 2007 Service Pack 3 (SP3); SQL Server 2008, 2008 R2, 2012 and 2014; Windows Media Center TV Pack for Windows Vista; and SharePoint Server 2013.
However, none of next week's nine updates will reach devices running Windows 8.1 unless they've been upgraded to Windows 8.1 Update, the mandated collection Microsoft released in mid-April.
Microsoft originally gave everyone just five weeks to put Windows 8.1 Update in place, but quickly backed off under pressure from corporate customers. Businesses that rely on WSUS (Windows Server Update Services), Windows Intune or System Center Configuration Manager to obtain and deploy patches were given until August to apply Windows 8.1 Update before being shut off from future patches.
Consumers and small businesses -- anyone who uses Windows Update to fetch patches -- got a one-month extension, and so had to have Windows 8.1 Update in place by June 10.
Microsoft will ship the nine security updates on Aug. 12 at approximately 1 p.m. ET (10 a.m. PT).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is [email protected].
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.