MS Patch Day: 3 Critical Bulletins on Tap

Redmond plans to ship three high-priority security bulletins: two for the Windows operating system and one for Microsoft Office users.

Microsoft has provided advance notice that three "critical" security bulletins will be released in this months patch batch.

The bulletins will include patches for flaws in Microsoft Corp.s flagship Windows operating system and the Microsoft Office desktop productivity suite.

As is customary, the software giant isnt providing any details until July 12, when the bulletins are posted.

The three updates represent a relatively small batch of patches, coming on the heels of last months barrage when Microsoft shipped 10 bulletins, including a "critical" update for the Internet Explorer browser.

This time around, security researchers are expecting another cumulative IE patch to address a known code execution flaw in the widely deployed browser.

Over the last week, Microsoft has been providing pre-patch workarounds and mitigation guidance alongside warnings that potentially destructive exploit code has been posted on the Internet.

/zimages/5/28571.gifRead more here about a "killbit" workaround for the IE flaw.

Microsoft typically includes IE patches under the Windows umbrella in its Security Bulletin Advance Notice mechanism. However, because IE patches require extensive testing, there have been long delays in the past to get a cumulative browser update out the door.

"When exploits are out in the wild, they will put a rush out on a patch. Theyve released IE patches in quick time before," said Marc Maiffret, co-founder and chief hacking officer at eEye Digital Security, a private research outfit that works closely with Microsoft on fixing security vulnerabilities.

"When theyre motivated to fix things quickly, they can," he added.

eEye maintains a list of unpatched security vulnerabilities and the time that has elapsed since the bug was first reported to the company. According to Maiffret, there are four Microsoft flaws that have not been addressed, including one that is 40 days overdue.

Microsoft is also expected to release an updated version of its malicious software removal tool to add detection for new worms, Trojans and virus variants.

The company will also push out a non-security, high-priority update for Microsoft Office.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.