Microsoft users should prepare themselves for eight patches, four of them critical in the next Patch tuesday update.
The first critical patch deals with Internet Explorer, according to Microsoft's advance notification released on Thursday.
Several experts are expecting it to be a permanent fix for a zero-day Internet Explorer flaw that allowed attackers to compromise at least three major Japanese media websites. The bug, CVE-2013-3893, which has also been picked up by numerous hacking groups to target users, spurred Microsoft to issue a temporary fix at the end of September for the vulnerability.
While the zero-day is a remote code execution vulnerability in IE 8 and 9, the issue could impact users running all supported versions of the web browser. Last week, Darien Kindlund, manager of threat intelligence at FireEye, told SCMagazine.com that one media site serving up the exploit had been visited at least 75,000 times before the issue was resolved.
The remaining critical patches address Windows and Microsoft .NET framework issues, while the other four patches are listed as important and deal with Office – notably 2007, 2010 and 2013 versions of content management application SharePoint – and Silverlight problems.
Considering how vulnerable SharePoint has been lately and how difficult it is to patch, Tyler Reguly, technical manager of security research and development with IT security software company Tripwire, questioned the value it still provides over similar offerings.
“Bulletin 5 needs more attention as internet-facing servers and services are usually first to be targeted,” said Tommy Chin, technical support engineer with computer and network security company CORE Security. “It is likely, however, that Bulletin 1 will affect a larger group of regular users. There aren't any privilege escalation disclosures this month, which means that the potential attacks will be geared toward unprivileged account access.”