This coming Tuesday, November 12, Microsoft will release eight updates for Microsoft Windows, Office and Internet Explorer to patch an as-yet unspecified number of vulnerabilities in them. Three of the updates, affecting Windows and Internet Explorer, are rated critical.
All supported versions of Windows, including the recently-released 8.1, are affected by at least one critical vulnerability. The one bulletin that affects Internet Explorer fixed a critical vulnerability in all versions of the browser, includng the brand new Internet Explorer 11. Three other Windows bulletins are rated Important.
Two other bulletins, both rated important, affect all supported versions of Microsoft Office.
Microsoft will also release their other usual monthly updates, including a new version of the Malicious Software Removal Tool and a large number of non-security updates.
Earlier this week. The vulnerability is being used in zero-day attacks specifically against Office. The Patch Tuesday updates this month will not address this vulnerability.
Today Microsoft issued a clarification of the bulletin for that vulnerability. The main point of the clarification is that only some Office users are being attacked, not users of the other products who are not running an affected version of Office. The confusing nature of the product matrix comes from the confusing way in which GDI+, the affected component, is bundled with different products. If you are concerned about the vulnerability see the Microsoft bulletin for instructions on how to work around it until an update is ready from Microsoft.