Microsoft on Thursday warned Windows users to expect three security bulletins May 9, the Redmond, Wash. company's regularly-scheduled second-Tuesday patch day. At least two of the three will include fixes for flaws Microsoft dubs "critical."
Two of the trio affect Windows, while the third will resolve one or more issues in the Microsoft Exchange mail server software. At least one of the Windows' bug fixes will be tagged "critical" by Microsoft, as will the Exchange patch.
At the same time, the company will roll out a refreshed edition of its malware cleaning utility, Windows Malicious Software Removal Tool, and two non-security, high-priority updates via Microsoft Update (MU) and Windows Server Update Services (WSUS). By limiting the non-security updates to those mechanisms, it's likely that they're related to Microsoft Office, or another product which MU supports.
There is a high probability that one of the Windows bulletins will be an update for Internet Explorer (IE), Microsoft's browser. Several as-yet-unpatched vulnerabilities in IE have been disclosed recently that can be exploited by attackers who draw victims to malicious Web sites, including one made public only two week ago.
Included in the Exchange patch will be a change that will reduce e-mail address spoofing, added Microsoft. Companies running RIM's BlackBerry Enterprise Server will be most affected by this change.
May's security bulletins will be available for manual download from the Microsoft Web site, and will be pushed to users via the company's automated update services and programs, which include Microsoft Update, Windows Update, Windows Server Update Services, and Software Update Services.
As usual, Microsoft will shoot for a 10 a.m. PDT roll-out of the fixes. Last month, Microsoft unveiled 5 patches that fixed 14 flaws; later in April, it was forced to re-release one of the updates because of conflicts with various Hewlett-Packard programs and older NVIDIA graphics card drivers.