Microsoft will release two critical security updates for Windows next week, though it remains unclear whether either will fix an outstanding Internet Explorer issue that is currently the target of malicious code.
On its TechNet site today, Microsoft said its next scheduled "Patch Tuesday" release on Dec. 13 will feature a pair of bulletins affecting Windows, at least one of which is expected to be deemed critical.
Additionally, the software giant will release two non-security high-priority updates on Windows Update and Software Update Services (SUS), plus three other non-security high-priority updates via Windows Update and Windows Server Update Services (WSUS). Per usual, its malicious software removal tool will be updated as well.
Though as it does each month, Microsoft included the following disclaimer: "Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released."
It remains to be seen whether Microsoft will address a memory corruption flaw in the browser that is currently the target of malicious Trojan.
"This issue was originally reported to the public in May as being a stability issue that caused the browser to close," the software giant said in an advisory on its Web site. "Since then, new information has been posted that indicates remote code execution could be possible. We have also been made aware of proof-of-concept code and malicious software targeting the reported vulnerability."
Microsoft warned in a subsequent advisory that TrojanDownloader.Win32/Delf-DH is targeting the flaw. "This Trojan is downloaded to a computer automatically when a user visits certain Web sites," Microsoft said.
It indicated that an out-of-cycle patch security update may be necessary, causing speculation that Microsoft may release a patch prior to this coming Tuesday. However, no such update has yet been released.