Microsoft next week plans to issue eight bulletins, including four critical, addressing vulnerabilities in Microsoft Windows, Internet Explorer (IE), Microsoft Office and its other products.
The first four bulletins will patch critical vulnerabilities in Microsoft Windows, Internet Explorer and the Microsoft .NET Framework, according to a Microsoft Advanced Notification issued on Oct. 3.
Bulletins 1-4, deemed "critical" by the Redmond, WA.-based software vendor, could allow for remote code execution. The first, second and fourth bulletins will definitely require a restart, while the third may require one.
Particular attention is being paid to the first bulletin, which may contain a permanent fix for a high-profile IE zero-day vulnerability that was discovered within the last month. Security firm FireEye, who initially uncovered the IE vulnerability, has since learned that at least three separate attack campaigns are actively exploiting the zero-day.
Though Microsoft issued a temporary "Fix it" in September for the vulnerability, pressure to provide a permanent patch increased on Monday when the popular penetration-testing tool Metasploit released a module for the zero-day. As for whether Bulletin 1 does indeed resolve the IE zero-day, Ross Barrett, senior manager of security engineering at Boston-based Rapid7, is hopeful.
"The answer is, we won't know for sure until Tuesday, but it could and it should," Barrett said. "This is definitely where I would focus my patching efforts."
Bulletins 2, 3 and 4 address vulnerabilities on a wide range of Microsoft products, including Windows XP, 7 and 8, and Windows Server 2003, 2008 and 2012.
In addition to the critical bulletins, Microsoft has marked four more bulletins as "important." Of these bulletins, three may require a restart and one does not.
Bulletins 5, 6 and 7 address vulnerabilities that could allow for remote code execution.
The bulletins will be released on Oct. 8.
Separately, Adobe Systems Inc. is currently preparing to patch critical vulnerabilities in two of its products, Reader and Acrobat. The vulnerabilities were assigned a "priority rating" of 2, which signals that the products have historically been at elevated risk, according to Adobe's rating system. The patches should go live on Oct. 8 too.