Microsoft Internet Explorer (IE) and Office have received critical patches as part of this month’s Patch Tuesday update, in what has been a quiet month for the software vendorwhen compared to the previous two.
The seven patches included three ranked critical guarding against remote execution flaws, in addition to a privilege escalation bug and an information leaking bug.
Ross Barrett, senior engineering manager at security firm Rapid7, said that the bulletin for IE "has the broadest scope", including 14 common vulnerabilities and exposures (CVEs), "none of which are publically disclosed or known to be under active exploit".
"The shared CVE with [a scripting language VBScript] presents a patching and detection challenge because exactly which patch you get will depend on the configuration of your system and the version of IE," he added.
Patches for IE, Word and Office Web Apps fixed errors which could have allowed hackers to gain the same rights as a user they deceived, leading to potential remote code execution, further program installation or theft of data.
However other cybersecurity workers noted that the update capped off a less busy year for the firm than previous ones, with security bulletins released by Microsoft this year totalling 85, down from 106 the previous year.
Russ Ernst, director of product management at Lumension, said: "Even with that good news, the overall number of all vulnerabilities in 2014 is at an all-time high of nearly 7,500.
"With the Microsoft vulnerability count this year only accounting for just over 6%, down from nearly 10% last year, attackers are continuing the trend to focus on third party applications and platforms other than Windows."
Despite this, he added a warning to the firm, saying: "While there is no way to predict what 2015 will look like of course, I can’t help but wonder how the September cuts to the Trustworthy Computing Group at Microsoft will impact their ability to keep these statistics moving in the right direction."
