Microsoft plans patches for IE10, Windows 8 next week
Will fix first bugs in company's newest browser, again address Windows 8 and Windows RT flaws
Computerworld - Microsoft today announced it will deliver seven security updates next week to patch 11 vulnerabilities, including the first that apply to Internet Explorer 10 (IE10), the company's newest browser.
As it did last month, Microsoft will also patch Windows 8, Windows RT and Windows Server 2012, its new desktop, tablet and server operating systems.
Five of the seven updates will be marked as "critical," Microsoft's highest threat ranking, while the remaining pair will be labeled "important," the Redmond, Wash. developer said in an advance warning published today.
Andrew Storms, director of security operations at nCircle Security, put the IE update atop his tentative to-do list. Others did, too, including Paul Henry, a researcher with Arizona-based Lumension.
In an email Thursday, Henry said that the bugs in IE9 and IE10 -- the only versions directly affected -- were "use-after-free" memory management vulnerabilities.
By the IE update's critical label, it's likely that the bug(s) can be exploited by hackers using "drive-by" attacks, those that execute as soon as an unsuspecting user surfs to a malicious or compromised website.
Although IE9 and IE10 -- the latter is the latest in Microsoft's browser line and so far has shipped in final form only for Windows 8, Windows RT and Server 2012 -- will be patched, other still-supported editions will get fixes as well.
"Microsoft is making 'defense-in-depth' changes to the other browsers," said Storms of IE6, IE7 and IE8.
Microsoft has infrequently issued code changes meant to beef up security of a product even though it's not technically vulnerable to attack.
"The general idea is that the vulnerability is on a new platform, and that during its due diligence, Microsoft found the same [flawed] code in older platforms," said Storms. "But because they couldn't actually execute the vulnerability on those [older versions], they're making changes just in case something in the future is found that can exploit the bug."
This will be the second month running that Microsoft patches IE: In November, it quashed three critical bugs in IE9. At the time, Storms argued that Microsoft had probably also found one or more of those flaws in IE10, but had managed to fix them before it shipped the browser on Oct. 26.
Other updates will tackle one or more critical vulnerabilities in Windows -- including one applicable to Windows 8 and Windows RT; at least one critical bug in Word 2003, 2007 and 2010 on Windows; and some critical flaws in Exchange 2007 and 2010.
That last caught Storms' eye.
"Exchange is one of the most highly-critical business applications, and it's not something you want to shut down, especially in December," Storms said.
But he wasn't ready to tell companies to pass on the Exchange update. "They may well release some easily-performed mitigations next week," Storms said, referring to Microsoft's habit of offering work-arounds to keep software secure until a patch can be applied. "We'll have to wait and see. This one may have the typical risk-reward equation.... Is it worth the risk to patch or better to leave it alone?"
If companies apply the Exchange update and break their mail systems, especially during a very busy time of the year for retailers, it could be chaos.
Henry, who regularly talks with Microsoft after they've issued their advance notification, said that the Exchange update will address new vulnerabilities in the Outside In code libraries that Microsoft licenses from Oracle.
Exchange uses the libraries to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. In the past, Outside In bugs have resided within the Exchange code base that parses those attachments.
Oracle patched two low-threat Outside In bugs in a massive Oct. 16 security update.
If Microsoft ships all seven of the planned updates -- occasionally it holds one back at the last minute -- the company will have issued 83 security bulletins in 2012, a 17% drop from 2011's 100 updates, said Storms.
The individual patch count, however, will slip just 5%, with 196 in 2012 compared to 206 the year before.
Microsoft will release the seven updates at approximately 1 p.m. ET on Dec. 11.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Russian credential theft shows why the password is dead
- Cybersecurity should be professionalized
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts