Microsoft is set to release five security patches for its products next Tuesday, including a highly anticipated Internet Explorer (IE) fix that will address a bug that hackers have been exploiting over the past two weeks. Along with the critical IE patch, Microsoft will repair three other issues in its Windows operating system, as well as an unspecified problem in Office that is rated moderate.
Although some had called for Microsoft to release an early version of the IE patch, ahead of its previously scheduled April 11 security updates, that possibility now seems unlikely. "Our test and engineering plan for that update that we began two weeks ago is on track to have that update ready for Tuesday," wrote Stephen Toulouse, security program manager with Microsoft's security response center. (http://blogs.technet.com/msrc/archive/2006/04/06/424519.aspx)
Microsoft releases its security patches on the second Tuesday of every month, a predictable process that makes corporate system administrators happy. But the schedule also has led some users to download unsupported third-party security updates in between official patch releases from Microsoft.
Prompted by the severity of the IE bug, known as the "create TextRange ()" vulnerability, security vendors eEye Digital Security and Determina Inc. have already offered free downloads that fix the IE bug. To date, eEye reports more than 100,000 downloads of its software, which is not recommended by Microsoft.
Microsoft has plenty of other browser problems to address in the patches, including a second critical vulnerability that, like the create TextRange () bug, could be exploited by hackers to take over a system. Security researchers have also reported two less-critical IE problems with the browser, including a newly discovered bug that could be used by phishers to trick users into thinking they are visiting trusted Web sites. More information about the vulnerability is available at http://secunia.com/advisories/19521/.
Microsoft has not confirmed that Tuesday's patches will address any of these other IE problems.
It has, however, said that the security fixes will include some ActiveX changes aimed at bringing the company into compliance with a 2003 court decision relating to patents held by Eolas Technologies and the University of California. These changes will alter the way Internet Explorer works with some multimedia technologies like Flash and QuickTime, and they have forced many Web developers to make changes to their sites.
For corporate users who are not ready for the Eolas changes, Microsoft has said that it will also issue a "compatibility patch," which will undo the changes for about two months.
Microsoft offered few other details on the other security patches expected next week, except to say that some of them will require the computer to be restarted.