Microsoft today announced it will deliver five security updates to customers next week, two tagged as "critical," including one that will quash the open vulnerability in Internet Explorer (IE) that hackers have been exploiting since January.

Four of the five updates will affect Windows XP, the nearly-13-year-old operating system that Microsoft plans to retire from patch support on April 8. After next week's Patch Tuesday, Microsoft has just one more chance to fix flaws in the aged OS before it pulls the plug.

One of the two critical updates patches all versions of IE, including the even-older-than-XP IE6, as well as the newest IE11, which runs only on Windows 7, Windows 8 and Windows 8.1.

On the client editions of Windows, the IE fix -- dubbed "Bulletin 1" in today's advance notification -- was rated critical, Microsoft's most serious threat rating, for all versions of the browser.

Two weeks ago, Microsoft confirmed at least one vulnerability in IE9 and IE10 after security company FireEye found attacks targeting current and former U.S. military personnel who visited the Veterans of Foreign Wars (VFW) website. Another security vendor, Websense, reported that it had found an exploit leveraging the same IE bug on the website of a French aerospace association, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), whose members include defense and space contractors.

Websense cited evidence that exploits had been in circulation as early as Jan. 20, 2014.

Later, Aviv Raff, chief technology officer at security firm Seculert, contended that the attacks uncovered by FireEye and Websense were the work of two hacker groups.

Although Microsoft today continued to characterize the attacks as limited in scope, Symantec begged to differ last week. The California antivirus vendor said its telemetry showed that attacks against IE were "expanding to attack average Internet users" at the time.

Computerworld