Building on its once-a-month patch delivery schedule, the company recently started alerting security administrators on the Thursday preceding the second Tuesday of each month what they can expect the following week.
There will be at least three patches, which will likely require the patched computer to be restarted after the patch is applied, Microsoft said in its advanced notification.
The company does not disclose the nature of the vulnerabilities it is patching, but there are well over three Windows vulnerabilities already broadly known on the Internet, some of which have working exploits available, for which patches are not available.
Last week, UK-based researchers at Secunia Ltd warned of three extremely critical holes in Internet Explorer. The firm said exploit code was available, that works against IE 6, even on a Windows XP Service Pack 2 box.
In December, a Chinese research outfit, Xfocus Team, disclosed three image-handling vulnerabilities in Windows that could be exploited to take over machines via email or the web. Patches are not yet available.
And eEye Digital Security Inc, one of the security firms that does not disclose details of vulnerabilities before patches are available, currently says it is waiting for Microsoft to patch two high-severity bugs, one of which it found in August, one of which it found in November.
Microsoft’s stated policy is to never release a patch until it has been tested to ensure it works and does not cause unreasonable conflicts. Its record time from notification to patch currently stands at about a month.
