Microsoft Plans Emergency Patch Tuesday

Two out-of-band security bulletins will be issued tomorrow to fix a critical flaw in Internet Explorer and a related issue in Visual Studio. Microsoft is withholding details until the patches are released.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 27, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Microsoft late Friday said it would issue two security bulletins on Tuesday, July 28, outside of its regular monthly patch cycle. The company typically releases "out-of-band" bulletins to address vulnerabilities that demand immediate attention.

In a statement, Mike Reavey, director of the Microsoft Security Response Center, provided few particulars other than saying the two bulletins -- one affecting Visual Studio and one affecting Internet Explorer -- will address a single, overall issue. "While we can't go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications," he said. "The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin."

He said that the Internet Explorer bulletin will address "critical" issues in Internet Explorer unrelated to the Visual Studio vulnerability.

He also said that Microsoft customers who have the most current security updates are protected from known attacks related to the vulnerabilities addressed by the two emergency bulletins.

A substantial portion of Microsoft customers are nonetheless likely to have vulnerable software. In mid-2008, according to Google, 45.2% of Internet users visiting the search site weren't using the most up-to-date version of their browser.

Out-of-band patches are unusual but certainly not unheard of. Last December, Microsoft released an out-of-band security update, MS08-078, to fix a vulnerability in Internet Explorer.

The company also released an out-of-band update last October, MS08-067, to fix a problem with Windows Server that could, and did, allow a malicious worm to spread: The vulnerability was subsequently exploited by the Conficker/Downadup worm because Microsoft users didn't patch quickly enough.

InformationWeek Analytics and DarkReading.com have published an independent analysis of security outsourcing. Download the report here (registration required).

Read more about:

2009

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights