Microsoft to clean up after Oracle's patch mess again next week

Slates eight security updates for next week, including critical fixes to Exchange likely stemming from Oracle's Outside In technology

Microsoft will deliver eight security updates next week to patch dangerous vulnerabilities in Internet Explorer (IE) and the business-critical Exchange Server, as well as less-serious bugs in all versions of Windows.

Experts pushed the IE update to the top of their must-do-ASAP lists.

"That's No. 1, nothing trumps an IE update," said Andrew Storms, senior director of DevOps at San Francisco-based CloudPassage. "Browsers are the most targeted applications."

The IE update also got the nod from Wolfgang Kandek, CTO of security vendor Qualys. "This will be the most important bulletin to implement," Kandek wrote in an email. "It affects all versions of IE ranging from IE6 on Windows XP to IE10 on Windows 8 and RT."

Kandek was right: In the advanced notice Microsoft published Thursday, the company pegged the IE update as critical for every still-supported version of its browser, including the newest, IE10, which runs on Windows 7, Windows 8 and Windows RT.

Of the eight updates slated to ship next Tuesday, Microsoft labeled three of them "critical," the company's most severe rating. The remaining five will be tagged "important," the next step down in Microsoft's four-level threat scoring system.

Also critical was the planned update to all versions of Exchange Server, from Exchange 2007 to Exchange 2013, the version rolled out last October.

Some security professionals urged companies to patch Exchange before IE.

"This month is all about the Exchange server," said Tommy Chin, a technical support engineer at CORE Security, in an email. "The remote code execution [vulnerability] within the Exchange server represents a threat to all companies using Exchange to run their e-mail service."

Storms wasn't as concerned about the Exchange update. "I'll bet a ton of money that this is an update to Oracle's Outside In," he said.

Exchange relies on Outside In libraries to display file attachments in a browser rather than open them in a locally-stored application, like Microsoft Word.

Oracle patched Outside In last month, but because its security updates came a week after Microsoft shipped July's Patch Tuesday slate, this will be the Redmond, Wash. developer's first chance to update Exchange.

Microsoft has been forced to patch Exchange several times in the past because of bugs in Oracle's Outside In, most recently in February 2013, but also twice in 2012.

Storms thought Microsoft must be tired of plugging Oracle's holes, especially in Exchange, which as Chin of Core Security pointed out, is mission-critical software in business.

"What if all email suddenly became compromised? For most organizations, this scenario is simply unacceptable due to the sensitive information contained within today's email conversations," Chin said.

"I wouldn't be surprised if Microsoft is looking at a different technology or even writing something in-house," said Storms.

Other security experts have also weighed in on the continuing Outside In-Exchange security problems.

In June, Will Dormann published research that outlined Exchange's increased risk to attack because of Outside In. Dormann, a vulnerability analyst at CERT Coordination Center, part of the public-private collaboration by U.S. CERT, recommended that businesses turn off Web Ready, the feature that applies the Outside In technology, or upgrade to Exchange 2010 or Exchange 2013. Those versions make exploitation of Outside In bugs much more difficult, said Dormann.

Other updates next week include a critical fix that applies only to the aging Windows XP and almost-as-old Windows Server 2003. Windows XP will be retired in April 2014, while Server 2003 has until July 2015 before it's pastured.

The five updates marked important will patch vulnerabilities in various versions of Windows. If the updates are not deployed, criminals may be able to conduct denial-of-service attacks -- crashing Windows -- steal information stored on Windows' PCs or acquire additional privileges that would let them run more threatening attacks or cyber espionage campaigns.

Microsoft will release next week's security updates on Aug. 13 around 1 p.m. ET.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies