Microsoft plans patches for IE10, Windows 8 next week
Will fix first bugs in company's newest browser, again address Windows 8 and Windows RT flaws
Computerworld - Microsoft today announced it will deliver seven security updates next week to patch 11 vulnerabilities, including the first that apply to Internet Explorer 10 (IE10), the company's newest browser.
As it did last month, Microsoft will also patch Windows 8, Windows RT and Windows Server 2012, its new desktop, tablet and server operating systems.
Five of the seven updates will be marked as "critical," Microsoft's highest threat ranking, while the remaining pair will be labeled "important," the Redmond, Wash. developer said in an advance warning published today.
Andrew Storms, director of security operations at nCircle Security, put the IE update atop his tentative to-do list. Others did, too, including Paul Henry, a researcher with Arizona-based Lumension.
In an email Thursday, Henry said that the bugs in IE9 and IE10 -- the only versions directly affected -- were "use-after-free" memory management vulnerabilities.
By the IE update's critical label, it's likely that the bug(s) can be exploited by hackers using "drive-by" attacks, those that execute as soon as an unsuspecting user surfs to a malicious or compromised website.
Although IE9 and IE10 -- the latter is the latest in Microsoft's browser line and so far has shipped in final form only for Windows 8, Windows RT and Server 2012 -- will be patched, other still-supported editions will get fixes as well.
"Microsoft is making 'defense-in-depth' changes to the other browsers," said Storms of IE6, IE7 and IE8.
Microsoft has infrequently issued code changes meant to beef up security of a product even though it's not technically vulnerable to attack.
"The general idea is that the vulnerability is on a new platform, and that during its due diligence, Microsoft found the same [flawed] code in older platforms," said Storms. "But because they couldn't actually execute the vulnerability on those [older versions], they're making changes just in case something in the future is found that can exploit the bug."
This will be the second month running that Microsoft patches IE: In November, it quashed three critical bugs in IE9. At the time, Storms argued that Microsoft had probably also found one or more of those flaws in IE10, but had managed to fix them before it shipped the browser on Oct. 26.
Other updates will tackle one or more critical vulnerabilities in Windows -- including one applicable to Windows 8 and Windows RT; at least one critical bug in Word 2003, 2007 and 2010 on Windows; and some critical flaws in Exchange 2007 and 2010.
That last caught Storms' eye.
"Exchange is one of the most highly-critical business applications, and it's not something you want to shut down, especially in December," Storms said.
But he wasn't ready to tell companies to pass on the Exchange update. "They may well release some easily-performed mitigations next week," Storms said, referring to Microsoft's habit of offering work-arounds to keep software secure until a patch can be applied. "We'll have to wait and see. This one may have the typical risk-reward equation.... Is it worth the risk to patch or better to leave it alone?"
If companies apply the Exchange update and break their mail systems, especially during a very busy time of the year for retailers, it could be chaos.
Henry, who regularly talks with Microsoft after they've issued their advance notification, said that the Exchange update will address new vulnerabilities in the Outside In code libraries that Microsoft licenses from Oracle.
Exchange uses the libraries to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. In the past, Outside In bugs have resided within the Exchange code base that parses those attachments.
Oracle patched two low-threat Outside In bugs in a massive Oct. 16 security update.
If Microsoft ships all seven of the planned updates -- occasionally it holds one back at the last minute -- the company will have issued 83 security bulletins in 2012, a 17% drop from 2011's 100 updates, said Storms.
The individual patch count, however, will slip just 5%, with 196 in 2012 compared to 206 the year before.
Microsoft will release the seven updates at approximately 1 p.m. ET on Dec. 11.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts