December 06, 2012, 4:03 PM — Microsoft today announced it will deliver seven security updates next week to patch 11 vulnerabilities, including the first that apply to Internet Explorer 10 (IE10), the company's newest browser.
As it did last month, Microsoft will also patch Windows 8, Windows RT and Windows Server 2012, its new desktop, tablet and server operating systems.
Five of the seven updates will be marked as "critical," Microsoft's highest threat ranking, while the remaining pair will be labeled "important," the Redmond, Wash. developer said in an advance warning published today.
Andrew Storms, director of security operations at nCircle Security, put the IE update atop his tentative to-do list. Others did, too, including Paul Henry, a researcher with Arizona-based Lumension.
In an email Thursday, Henry said that the bugs in IE9 and IE10 -- the only versions directly affected -- were "use-after-free" memory management vulnerabilities.
By the IE update's critical label, it's likely that the bug(s) can be exploited by hackers using "drive-by" attacks, those that execute as soon as an unsuspecting user surfs to a malicious or compromised website.
Although IE9 and IE10 -- the latter is the latest in Microsoft's browser line and so far has shipped in final form only for Windows 8, Windows RT and Server 2012 -- will be patched, other still-supported editions will get fixes as well.
"Microsoft is making 'defense-in-depth' changes to the other browsers," said Storms of IE6, IE7 and IE8.
Microsoft has infrequently issued code changes meant to beef up security of a product even though it's not technically vulnerable to attack.
"The general idea is that the vulnerability is on a new platform, and that during its due diligence, Microsoft found the same [flawed] code in older platforms," said Storms. "But because they couldn't actually execute the vulnerability on those [older versions], they're making changes just in case something in the future is found that can exploit the bug."
This will be the second month running that Microsoft patches IE: In November, it quashed three critical bugs in IE9. At the time, Storms argued that Microsoft had probably also found one or more of those flaws in IE10, but had managed to fix them before it shipped the browser on Oct. 26.
Other updates will tackle one or more critical vulnerabilities in Windows -- including one applicable to Windows 8 and Windows RT; at least one critical bug in Word 2003, 2007 and 2010 on Windows; and some critical flaws in Exchange 2007 and 2010.
That last caught Storms' eye.