Microsoft will release seven security bulletins next week, three of which are rated as critical and are for Windows, Internet Explorer, Office and Exchange.
According to the advance notification, five of the fixes are for remote code execution flaws, while the others are for information disclosure and elevation of privilege.
Russ Ernst, director of product management at Lumension, said: “If all seven are released as planned, the total number of patches in 2014 will hit 84. This year’s patch load is close in quantity to 2012 when 83 patches were released in all. Last year was a busier year for IT with 105 needed Microsoft patches. The good news is 2014 is on track for just 29 critical rated patches which is an improvement over both 2012 when 35 critical patches were issued and 2013 when there were 42.
“For December, three out of the seven planned bulletins will impact Microsoft Office. Bulletin two looks to be another update for Internet Explorer, the 12th one we’ve had this year. With the balance of next week’s bulletins impacting Windows, December will be a month for IT to focus on the desktop.”
Karl Sigler, threat intelligence manager at Trustwave, said: “Several of the CVEs included in this bulletin are ‘critical’ and the most severe are likely to be memory corruption vulnerabilities. Internet Explorer users will absolutely want to patch these vulnerabilities as soon as possible to have a more secure surfing the web experience.
“This security update will be light compared to the previous update Tuesday. None of the CVEs included in this release are exploited in the wild at the moment. Also, it’s not likely there will be a vulnerability as nasty as the Schannel Remote Code Execution vulnerability (MS14-066) from last month.”
