Microsoft is to issue five security patches for Windows and the Office productivity suite next Tuesday (11 April), including a critical fix for the widely publicised CreateTextRange vulnerability in Internet Explorer.
Some of the other fixes are also expected to be critical, but Microsoft will not confirm details. The Office fix only addresses a “moderate” threat, said Microsoft.
The fix for the critical IE vulnerability is being issued well over two weeks since the vulnerability was first discovered. There has been exploit code circulating on the internet to take advantage of the bug for most of that period.
The delay in issuing a fix for this bug, and Microsoft’s decision to wait for the official patching cycle of the second Tuesday of the month to distribute it, will create much debate as to whether Microsoft is acting quickly enough to address security issues.
Two unofficial fixes from security firms have been available to plug the hole for well over a week, although Microsoft has warned users not to use them as they may disturb the settings of systems.
In the meantime, many hundreds of malicious websites are already potentially infecting users with malware as a result of the IE vulnerability.