Gearing up for next week's Patch Tuesday release, Microsoft announced Thursday that it's preparing six security updates -- four of them for critical bugs.
One security update actually can patch multiple vulnerabilities, so it's unclear at this point how many flaws next week's releases will fix. Microsoft, though, did announce in its Security Bulletin Advance Notification that each of the four critical updates will affect Windows software, while only one affects Internet Explorer. Another one will address issues in Outlook Express, as well as Windows Mail.
One critical vulnerability affects Windows Mail in Windows Vista and Windows Vista x64 edition. There another patch for Windows Vista that's rated "moderate."
All of the critical bugs being fixed enable remote code execution, meaning that a remote hacker could take over an infected system.
The one security bulletin that received Microsoft's second-highest threat rating of "important" affects the Office application suite, as well as Microsoft Visio, which is diagramming software. The flaw being fixed also enables remote code execution. It's not yet clear why this is not a critical flaw, as nearly all remote code execution vulnerabilities are rated that way.
The "moderate" security bulletin affects a bug in Windows that causes information disclosure.
Johannes Ullrich, CTO for the Internet Storm Center, a cooperative cyberthreat-monitoring and alert system, said this seems like an average size patch release for Microsoft -- slightly less than last month when Microsoft released seven bulletins in its monthly patch release. He is hoping, though, that several of the outstanding Internet Explorer flaws are fixed in the June 12 release.
"There are about six publicly known IE bugs out there," he added in an interview. "Typically, Microsoft issues patches that fix multiple bugs. Last month, four vulnerabilities were fixed with one IE patch. That would be good."
Ullrich also is hoping that Microsoft patches several outstanding Office vulnerabilities. "It's definitely one of the issues that keeps bugging users," he said. "We haven't seen any of them widely used yet. They're being used in smaller, targeted attacks."