Microsoft plans to patch critical Windows bug next week
But it's not ready to fix newest IE and Windows flaws
Computerworld - Microsoft today announced it would release just two security updates next week to patch three vulnerabilities in Windows.
One of the two was tagged with the "critical" label, Microsoft's highest threat ranking, while the other was marked "important." Microsoft typically assigns a critical rating to vulnerabilities that can be exploited with little or no action on the part of a user.
Both updates will patch flaws in Windows.
What Microsoft pegged as "Bulletin 1" in the advance notification it published today will affect only Windows Vista, while "Bulletin 2" will affect all still-supported versions of the OS, with the client editions -- XP, Vista and Windows 7 -- labeled critical and the server software rated important.
"The Vista one is confusing," said Andrew Storms, director of security operations at nCircle Security. "It's either something introduced in Vista but doesn't exist in Windows 7, or the component was rewritten for Windows 7."
Storms speculated that the flaw might be in a part of operating system that's little used, such as the task scheduler.
As for Bulletin 2, Microsoft's bare bones write-up -- typical of its advance warnings prior to Patch Tuesday -- also doesn't offer many clues.
"It's critical in all the desktop clients and important in the server, and consistent in the whole stack," said Storms, talking about Microsoft's threat ratings. "The difference in the criticality is confusing, and Microsoft's not giving us much to go on."
The bug(s) patched by Bulletin 2 are most likely in an operating system DLL (dynamic-link library), said Storms, perhaps a driver or database connector, that's crucial to the OS.
Next week's updates will be a far cry from last month's, when Microsoft issued a record 17 security bulletins and fixed 40 flaws, the second-largest number ever.
"I'll take it," said Storms, referring to the relatively easy Patch Tuesday next week compared to the monster update Microsoft pushed to customers in December.
Microsoft will not be patching either of the vulnerabilities that the company recently acknowledged -- and issued security advisories for -- said Carlene Chmaj, a spokeswoman for the Microsoft Security Response Center (MSRC), in a post Thursday to the team's blog. "We continue to actively monitor both vulnerabilities," she said.
Two weeks ago, Microsoft confirmed a critical bug in all versions of IE, including the newest production edition IE8, that hackers could exploit by convincing users to visit a malicious site. On Tuesday, the company acknowledged a serious flaw in Windows XP, Vista, Server 2003 and Server 2008.
Chmaj also confirmed that Microsoft has seen in-the-wild targeted attacks exploiting the IE bug. Microsoft typically releases an emergency, or "out-of-band," security update only if attacks spike.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts