Microsoft is set to release five security patches for its products next Tuesday, including a highly anticipated IE (Internet Explorer) fix that will address a bug hackers have been exploiting over the past two weeks. Along with the critical IE patch, Microsoft will repair three other issues in its Windows operating system, as well as an unspecified problem in Office that is rated as moderate.
Although some experts had called for Microsoft to release an early version of the IE patch, ahead of its previously scheduled 11 April security updates, that possibility now seems unlikely. "Our test and engineering plan for that update that we began two weeks ago is on track to have that update ready for Tuesday," wrote Stephen Toulouse, security program manager with Microsoft's security-response centre.
Microsoft releases its security patches on the second Tuesday of every month, a predictable process that makes corporate system administrators happy. But the schedule has led some users to download unsupported third-party security updates in between official patch releases from Microsoft.
Prompted by the severity of the IE bug, known as the "create TextRange ()" vulnerability, security vendors eEye Digital Security and Determina have already offered free downloads that fix the IE bug. To date, eEye reports more than 100,000 downloads of its software, which is not recommended by Microsoft.
Microsoft has plenty of other browser problems to address in the patches, including a second critical vulnerability that, like the create TextRange () bug, could be exploited by hackers to take over a system. Security researchers have also reported two less-critical IE problems with the browser, including a newly discovered bug that could be used by phishers to trick users in to thinking they are visiting trusted websites. More information about the vulnerability is available here.
Microsoft has not confirmed that Tuesday's patches will address any of these other IE problems.
It has said, however, that the security fixes will include some ActiveX changes aimed at bringing the company into compliance with a 2003 court decision relating to patents held by Eolas Technologies Inc and the University of California. These changes will alter the way Internet Explorer works with some multimedia technologies such as Flash and QuickTime, and they have forced many web developers to make changes to their sites.
For corporate users who are not ready for the Eolas changes, Microsoft has said that it will also issue a "compatibility patch", which will undo the changes for about two months.
Microsoft offered few other details on the other security patches expected next week, except to say that some of them will require the computer to be restarted.