At the halfway point of 2013, Microsoft gave a bit of a break to IT admins with just five patch bulletins for June's Patch Tuesday updates.
But that doesn't mean IT admins should be complacent, as one critical bulletin contains fixes for 19 vulnerabilities in Internet Explorer. The fixes address flaws in all recent versions of IE.
As it is a common attack vector, the patches should be applied immediately, said Wolfgang Kandek, CTO at Qualys Inc., an IT security firm based in Redwood Shores, Calif. Attackers could exploit and use the vulnerabilities against an enterprise.
Office 2003 received a fix rated important for an issue where a specially crafted document opened could lead to remote code execution.
One silver lining: Kandek said many enterprises may have already moved on to newer versions of the software, but should patch it if admins are running it.
The Windows kernel on 32-bit systems -- Windows Server 2008 and earlier -- is affected by an information disclosure vulnerability, rated important. Another bulletin delivered a fix for drivers, which, if unpatched, could lead to a denial of service vulnerability. And a printer spooler issue is the focus of a patch that fixes elevation of privilege vulnerability.
Windows patches in 2013: progress report
Microsoft so far has delivered 51 patch bulletins, an increase over last year when the company delivered 43 by June.
Kandek attributes it to Microsoft's responsiveness to more vulnerabilities, citing the monthly cumulative updates for Internet Explorer. In the past, IE was patched on a bimonthly basis.
"They're trying to be faster here," Kandek said.
He also noted how other companies signaled higher patching frequency, like Oracle with the issue-plagued Java. Oracle will switch to monthly patches instead of patches once every four months.
Kandek speculated that Microsoft is unlikely to switch to a patch release schedule faster than a monthly basis.
"Most companies like that they have a certain day" to plan and address patches, he said.