Microsoft plans to release next week four critical updates covering a wide range of products, a scenario likely to cause some headaches among IT departments.
The release scheduled for April 10 is the latest of Microsoft's security updates that fall on the second Tuesday of each month. The software maker plans to ship a total of six updates addressing 11 vulnerabilities. Two of the updates are rated important, a step below critical.
The critical updates cover all versions of Internet Explorer on their respective 32- and 64-bit Windows platforms starting with XP. One of the updates is for a diverse set of products, including Office, SQL Server, Biztalk, Commerce Server, Visual FoxPro, and Visual Basic.
"Anytime a bulletin covers such a wide range of products, IT security teams have to pause and think hard about deployment," Andrew Storms, director of security operations for nCircle, said in a statement. "It also requires some rigorous patch testing."
Some of the updates will require a system reboot, adding to the workload. But for many IT departments the effort will be necessary, since all the critical updates fix vulnerabilities that enable hackers from a remote location to execute code on an infected system. The IE flaws could result in a PC being infected through a Web site with specially crafted malware.
"The take away until organisations are patched up next week is watch where you are surfing on the Internet," Marcus Carey, security researcher at Rapid7, said in a statement. "Use an alternative browser until Internet Explorer is patched. Also, be very careful about opening up Microsoft Office documents."
Of the important updates, one deserves immediate attention by Office 2007 SP2 users, Wolfgang Kandek, chief technology officer for Qualys, said in the security vendor's blog. Hackers could exploit the vulnerability for remote code execution.