X

Microsoft to slap patch on risky IE hole

Next week will see five security updates for Windows and Office, including a fix for a browser flaw being used in cyberattacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read
As part of its monthly patching cycle, Microsoft plans on Tuesday to release five security bulletins with fixes for flaws in Windows and Office.

At least one of the alerts is deemed "critical," Microsoft's highest risk rating, the software maker said in a notice posted on its Web site on Thursday. It tags as critical any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.

One of Tuesday's bulletins will be for its Internet Explorer Web browser. It will include a comprehensive update with multiple fixes, including one for the publicly known "CreateTextRange" vulnerability, Microsoft said. It did not specify what other issues its additional Tuesday patches will repair, or how many flaws will be tackled.

Security researchers have noted several unpatched flaws in IE. The CreateTextRange bug is considered most critical by experts. The flaw is being exploited by malicious Web sites to install spyware, remote-control software and Trojan horses on vulnerable PCs, experts have said. Third parties have provided temporary fixes.

As part of its monthly patch day, Microsoft also plans to release an updated version of the Windows Malicious Software Removal Tool. The software detects and removes common malicious code placed on computers.

Additionally, this month's patches will make a change to the way IE handles Web programs called ActiveX controls. These tweaks are related to a long-running patent dispute between Microsoft and a startup backed by the University of California. The changes can affect how certain sites display in the browser.

People who need more time to adjust to the ActiveX changes can download a special patch that will disable them for two months. This "compatibility patch" is specifically designed for businesses that may have homegrown applications that use ActiveX, Microsoft has said.

Microsoft gave no further information on the upcoming bulletins, other than stating that some the Windows fixes will require restarting the computer. The Office fix may also require a restart, it added.

The Redmond, Wash., software maker offers advance notification about patches so people can get ready to install the updates.

Last month, Microsoft released two security bulletins covering six flaws in Office, most of which were related to Excel, and one flaw in Windows. The Office bulletin was tagged critical, while Microsoft deemed the Windows problem "important," one notch lower on its four-tiered rating scale.

Microsoft said it will host a Webcast about the new fixes on Wednesday at 11 a.m. PDT.