Critical fixes for Windows and IE coming in big Patch Tuesday

Microsoft to release 13 patches covering 22 vulnerabilities next week

In another big Patch Tuesday, Microsoft will release 13 patches next week covering 22 vulnerabilities, including two critical patches to prevent remote code execution attacks in Windows and Internet Explorer. Three other less critical patches will close holes that would allow denial-of-service attacks on Windows, and a majority of the 13 patches will require a restart.

Microsoft Office, .NET and Visual Studio will also be patched.

The 13 patches is a large total but short of the 16 released in June, and short of the record 17. However, nine of the 16 June patches were rated as critical, whereas only two this month merit the most severe rating. The 22 vulnerabilities to be closed this month is just a fraction of the record 64 set in April 2011.

Microsoft patching: Still painful after all these years

Only four patches were issued last month, because Microsoft alternates between big and small releases to relieve the pressure on IT administrators.

Bulletin #1 on next week's list of 13 looks to be the most serious, as it is rated critical on Windows 7, Vista and XP, Windows Server 2003 and 2008 (including R2, the most recent release), and Internet Explorer versions 6 through 9. The patch requires a restart and is designed to prevent remote code execution.

Bulletin #2 will also require a restart and prevent remote code execution, but is rated critical only on Windows Server 2008, and Windows Server 2008 R2. The patch is rated only as important on Windows Server 2003, slightly unusual because Microsoft says vulnerabilities are typically less serious in newer versions of its products. The desktop versions of Windows are not affected.

Overall, nine patches affect Windows, one affects Internet Explorer, one affects Office, and two each affect the .NET Framework and Microsoft Developer Tools. Four of the 13 patches involve preventing remote code execution, three elevation of privilege, three prevent denial-of-service attacks, and three prevent information disclosure.

In other news, Microsoft released an annual security report which incorrectly claimed that vulnerabilities allowing remote code execution - a critical problem - are declining. Microsoft has since updated the report, and it turns out remote code execution flaws are actually on the rise, and the total number of reported vulnerabilities is rising as well.

We'll be back with more on the Microsoft Subnet after the patches are released Tuesday. Microsoft will issue them around 1 p.m. Eastern Time.

Follow Jon Brodkin on Twitter

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022