June 07, 2013, 11:11 AM — Microsoft today said it will ship just five security updates next week, the fewest in any month so far this year, to patch 23 vulnerabilities in Internet Explorer (IE), Windows and Office.
The update for Office will address a bug that is now being exploited by hackers, a researcher claimed.
"There have been limited attacks using this vulnerability in the wild," said Paul Henry, a security and forensic analyst at Scottsdale, Ariz.-based Lumension, in an email. "Although it's not considered to be publicly known, it is being actively exploited to some extent." The exploits have been distributed in malicious files sent to potential victims via email, Henry added.
According to the advanced notice Microsoft published Thursday, Office will be patched by Bulletin 5, a placeholder moniker that will receive its official designation next week. Bulletin 5 will update Office 2003, the 10-year-old version that gets its retirement papers in April 2014, and the latest edition for OS X, Office for Mac 2011.
Andrew Storms, director of security operations at Tripwire's nCircle Security, was stumped by the update's aim at versions separated not only by operating systems, but also by eight years. "I have no idea," said Storms when asked what Office 2003 and Office for Mac 2011 had in common that wasn't also included in later suites for Windows, such as Office 2007, 2010 or 2013.
Even though the Office bug is being exploited at the moment, Henry, Storms and others put the spotlight instead on Bulletin 1, the IE update.
"You don't need to wait until Tuesday to set your priorities," Storms said. "It's obviously [the] IE [update] at the top of the list."
Bulletin 1 will patch all supported versions of IE, ranging from the 12-year-old IE6 to 2012's IE10. Bulletin 1 was the only one pegged as critical, the highest threat ranking in Microsoft's four-step system. Henry said Bulletin 1 will patch 19 of the 23 vulnerabilities scheduled to be addressed next week in the five updates.
"If left unpatched, this vulnerability can cause remote code execution, which implies that an attacker can take control of the victim computer if the victim browses to a malformed website using IE," explained Amol Sarwate, director or Qualys' vulnerability lab, in an email. "Since the browser is a window to the Internet, IE users should apply this patch as soon as it is released."
Storms put it more succinctly. "These vulnerabilities could be used in drive-by attacks," he said, describing attacks that lurk on malicious or compromised websites, and trigger as soon as a vulnerable browser visits. "But then, I can't think of an IE vulnerability that wasn't a drive-by."
The other three updates -- like Bulletin 5, labeled "important" by Microsoft -- affect Windows. Two of the three, however, are unusual in that while they don't affect Windows XP, the oldest of the client OSes, they will fix flaws in Windows 7, Windows 8 and Windows RT.
If patches aren't deployed to all versions of Windows, they typically apply to the older, not the newer editions. When the opposite happens, Storms said, it's because the vulnerabilities are found in new features or services, or in code that has been completely rewritten, not simply shuffled along from one version to the next.
Microsoft did not reveal whether one of the three Windows updates will patch a flaw in the kernel disclosed two weeks ago by Google security engineer Tavis Ormandy. Ormandy did not report his findings to Microsoft, but instead posted messages to the Full Disclosure security mailing list.
Ross Barrett, senior manager of security engineering at Rapid7, speculated that Bulletin 4 may contain a fix for Ormandy's discovery. "Bulletin 4 ... roughly fits the profile of Ormandy's vulnerability," said Barrett in an email today. "However, there has been a condition that fits that profile, more or less, every month for the past year."
June's Patch Tuesday will mark the year's halfway point: Including next week's five bulletins, Microsoft will have issued 51 updates, 21% more than in the first six months of 2012, but 2% fewer than during the same period in 2011.
Microsoft will release next week's security updates on June 11 around 1 p.m. ET.
This article, Microsoft to tackle under-attack Office bug next week, was originally published at Computerworld.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.