Microsoft to issue nine patches, no word on XML fix

Microsoft's monthly security update will be comprised of nine fixes to address 16 vulnerabilities, the software company announced Thursday.

The patches, due on Tuesday, will cover weaknesses in Windows, Office, Internet Explorer (IE) and Visual Basic for Applications.

It is not clear if Microsoft will offer a patch for a zero-day vulnerability in XML Core Services, which is being actively exploited in attacks on IE. The company has issued a temporary Fix-It solution for the issue, but many IT administrators eagerly are awaiting a permanent fix, especially with news that the exploit has been added to popular toolkits.

If the patch for the bug is coming, security experts said it will be found in Bulletin 1, one of three that earned Microsoft's highest severity rating of "critical." The jury is still out, though, considering Microsoft's Security Response Center blog that announces the monthly security updates typically indicates if a zero-day hole is being plugged, but this time there was no mention of it.

A Microsoft representative did not immediately respond to an email seeking clarification.

The other patch garnering attention this month is for a vulnerability in Internet Explorer 9. Though the flaw only affects the most recent edition of the web browser, an IE fix will catch some off guard because Microsoft typically updates the software once every two months -- and a cumulative patch last came in June.

UPDATE: Microsoft confirmed to SCMagazine.com that a patch for the XML vulnerability is expected next week.