Microsoft to issue more critical patches next week for Win7 than XP
IE update likely the one users will want to apply ASAP, say researchers
Computerworld - Microsoft today said it would deliver nine security updates next week, four of them critical, to patch 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net and Silverlight.
This year's February Patch Tuesday will feature three fewer updates and one less patch than 2011's.
Four of the nine updates were tagged "critical," the highest threat ranking in Microsoft's four-step system, while the other five were marked "important," the second-level rating. All of the critical updates and two of those pegged important will patch bugs that Microsoft admitted could be exploited by attackers to hijack computers and plant malware on PCs.
One interesting thing in today's advance notification, said Andrew Storms, director of security operations at nCircle Security, was the impact on Windows Server 2008 R2, Microsoft's newest server operating system.
"Seven Windows- and IE-related bulletins are applicable to Server 2008 R2, but Windows XP [32-bit] has only four. It's another lopsided month," said Storms, referring to past Microsoft claims that older software receive more security updates than newer titles.
That upside-down pattern has been prevalent lately. "If it keeps up, pretty soon 'lopsided' won't be lopsided," Storms said in an interview.
Another sign is the difference in the number of bulletins that affect Windows XP and Windows 7: One critical update is not applicable to the 10-year-old Windows XP, but does affect both 2007's Windows Vista and 2009's Windows 7.
Storms and several other security experts who weighed in via email unanimously pointed to the IE update as the one users will want to deploy first.
Microsoft patches its browser every other month.
"Last month, we saw how quickly attackers are incorporating browser-based attacks into their toolkits," Wolfgang Kandek, chief technology officer of Qualys, said in an email today. "An exploit for MS12-004 was detected a mere 15 days after Patch Tuesday."
MS12-004 was issued Jan. 10 to quash a pair of bugs in Windows Media Player that could be exploited using "drive-by" attacks triggered when users simply browse to a malicious site. Two weeks later, antivirus firm Trend Micro said browser-based attacks leveraging a Media Player bug were already circulating.
Marcus Carey, a security researcher at Rapid7, agreed with Kandek. "We're seeing a great many browser patches from Microsoft these days because researchers and attackers have realized that browser exploits have the most potential for harm and are currently the best attack surface," Carey said.
Next Tuesday's IE update will address one or more vulnerabilities in all versions of the browser, from the decade-old IE6 to last year's IE9. Storms pointed out that IE6's update is graded as "moderate," third on Microsoft's scale, while the newer browsers' patches will be pegged critical or important, depending on the version and operating system.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts