Microsoft today said it will issue 10 security updates next week, two rated "critical," to patch 34 vulnerabilities, including the zero-day bug that has been used by cyber criminals to poison "watering hole" websites in attacks aimed at U.S. government workers.

"IE is always critical, and we expected at least one update this month," said Andrew Storms, director of security operations at Tripwire's nCircle Security, in an interview. "What was surprising was the IE8 fix."

The remaining eight updates, called "bulletins" by Microsoft, were pegged as "important" on the firm's threat scale, and will provide patches for Windows, several applications in the Office family and for multiple communications products, including Lync, Microsoft's enterprise-grade instant messaging platform.

Three of the Windows security updates will affect Windows 8 and Windows RT, Microsoft's newest operating systems; one of the trio will patch only those two editions.

But the two updates aimed at IE are those to deploy ASAP, said Storms. Of the pair, the most important will be Bulletin 2, which will patch the zero-day in IE8 disclosed last week by several security firms when they analyzed attack code planted on the U.S. Department of Labor website.

"We are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140," said Dustin Childs, group manager of the Trustworthy Computing group, in a post to the Microsoft Security Response Center (MSRC) blog today.

Computerworld