Microsoft slates IE bug fix for next week
Will patch 23 vulnerabilities in Windows, its browser and other software
Computerworld - Microsoft today said it will ship eight security updates next week to patch 23 vulnerabilities in Windows, Internet Explorer (IE) and several other products in its portfolio.
The company sketched out the upcoming patches in an advanced notice of Patch Tuesday's line-up.
Two of the eight updates, which Microsoft refers to as "bulletins," will be rated "critical," the most-serious threat ranking in its scoring system. The remaining six will be labeled "important," the next-most-severe tag. Most of the bulletins, including four of the six pegged as important, are to patch vulnerabilities that attackers could exploit to execute malicious code, and potentially commandeer the computer, the company acknowledged.
Microsoft said that the eight updates will fix 23 security flaws. The company usually delivers a larger number of updates that patch a higher number of vulnerabilities in even-numbered months, leaving a lighter load for odd-numbered months.
In August, for example, Microsoft issued 13 updates that patched 22 vulnerabilities, while in September it delivered five updates that quashed 15 bugs.
This month's tallies were slightly sub-par for an even-numbered month: So far this year, Microsoft has patched an average of 26.2 bugs in those months. In odd-numbered months, Microsoft fixed an average of 9.4 flaws.
"In 2010, the up and down from odd- to even-numbered months was more recognizable," said Andrew Storms, director of security operations at nCircle Security. "This year, the numbers have been flatter lately. They're in the double digits almost every month. So IE is really the difference. We know we get an IE update every other month."
Storms is right: Since July, Microsoft has patched an average of 18.5 vulnerabilities in the odd-numbered months, and 22.5 bugs in the even-numbered months.
The IE update will probably be the one most users should deploy first, said Storms, advice he and other security experts almost always give every other month. That update is one of the two rated critical by Microsoft, and affects all currently-supported versions of the browser, including this year's IE9.
"I doubt there will be a story this month from Microsoft about how IE9 is more secure than its other browsers," said Storms, referring to the critical label Microsoft assigned to the new version's update.
The other critical bulletin will patch one or more vulnerabilities in the .Net framework included with every version of Windows, from 2001's XP to 2009's Windows 7. The same update will also plug a hole in the Silverlight 4 development tool.
Marcus Carey, a security researcher with Rapid7, pointed out that the .Net and Silverlight update sounds similar to MS11-039, a critical bulletin Microsoft issued in June.
- 7 Elements of Radically Simple OS Migration OS migration is typically time-consuming and expensive. To make your next migration easy, follow these six recommendations when planning your project.
- Flying High on the Use of Red Hat Enterprise Linux Flybe was one of the 21 companies that were interviewed for quantitative results on their operations as part of an IDC ROI analysis....
- Who does NSS Labs "Recommend" for NGFW? In 2012, NSS Labs found that most available NGFW solutions "fell short in performance and security effectiveness." In 2013 NSS Labs noted "marked...
- 9 Essentials for a Complete Cloud-to-Cloud Backup Solution In 9 Essentials for a Complete Cloud-to-Cloud Backup Solution, we'll walk you through potential sources of data loss in the cloud and provide...
- Protecting Critical SaaS Data Before It's Too Late In this webinar, you'll hear how to avoid SaaS data loss through best practices from a panel of experts.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Operating Systems White Papers | Webcasts