Microsoft readies 10 patches for next week
Six of the fixes address bugs in Windows and the other four remediate issues in Internet Explorer, Word, Excel and Office, according to an advance notification bulletin issued Thursday.
Microsoft won't say specifically what the patches fix, but there are two zero-day issues -- announced in May -- that are being actively exploited: a privilege-escalation flaw in the Internet Information Services (IIS) web server and a bug in DirectX, used on Windows to enable graphics and sound.
Microsoft said it does not plan to release a patch for the latter flaw.
"Our security teams are working hard on a security update that addresses this issue to protect customers, but we do not yet have an update that has reached the appropriate level of quality for broad distribution," Jerry Bryant of Microsoft said Thursday on the company's Security Response Center blog.
But Tas Giakouminakis, CTO of Rapid7, provider of vulnerability management, said a fix may be coming for the IIS issue. If it does, administrators should take it seriously.
"We've seen them [Microsoft] probably, best case, 10 days from zero day to actually getting a patch out," he said. "The fact that you can bypass authentication and access files on a system...it's a critical item."
Microsoft also plans to issue another update for a PowerPoint hole that was patched last month but did not contain fixes for the Mac OS X.