Microsoft to patch Windows 8, but stays mum on IE zero-day fix
Revokes pilfered digital certificates today
Computerworld - Microsoft today said it will release seven security updates next week -- including one rated critical for Windows 8 and Windows RT -- to patch 12 vulnerabilities in Windows, Office, SharePoint Server and the company's website design software.
At the same time, Microsoft warned customers that hackers are using digital certificates obtained from a Turkish certificate authority (CA). In response, Microsoft has removed the purloined certificates from Windows' list of trusted certificates, and urged users to verify that they have applied a June 2012 update that automates the de-certification process.
Missing from Thursday's advance notification was any news about the Internet Explorer (IE) zero-day vulnerability that hackers have been exploiting since at least Dec. 7.
Microsoft today declined to comment when asked about the timetable for the IE fix.
In an emailed statement, Dustin Childs, a group manager in Microsoft's security group, again said that the firm has found few attacks exploiting the IE bug. "We've seen only a limited number of affected customers," Childs claimed.
The IE bug affects the IE6, IE7 and IE8 browsers released between 2006 and 2009. The vulnerability does not exist in the newer IE9 and IE10, Microsoft said last weekend when it first warned customers of the flaw.
"I didn't expect that they would have a patch ready," Andrew Storms, director of security operations at nCircle Security, said in an interview today. "And I don't think that they'll release it out-of-band at this point, unless the attacks start to show a large upward trajectory."
"Out-of-band" refers to a security update that's issued on the fly, and outside the usual monthly patch schedule Microsoft maintains. With no plans to patch the IE vulnerability next week, Microsoft's next scheduled opportunity would be Feb. 12.
Security firms that have gone into their logs have found evidence that the IE exploits started Dec. 7, but at least two websites -- the foreign policy think-tank Council on Foreign Relations, and Capstone Turbine, a U.S. micro-turbine manufacturer -- have been compromised by hackers, who then planted malware on their servers. People running IE6, IE7 or IE8 who surfed to those websites were then attacked by the malware, had their computers hijacked and, in some cases, data stolen.
Tuesday's security updates will not fix the IE vulnerability, but will address a dozen different bugs. Two of the seven updates will be graded "critical," Microsoft's most-serious threat assessment, while the remainder will be tagged as "important," the next-most-dire.
Bulletin 2, as Microsoft identified it today, piqued Storms' curiosity.
"By far, it's the most interesting because it's not just through the OS stack, but also applies to Office and developer tools and SharePoint," said Storms. "It's likely something core to Microsoft, like GDI [graphics device interface] or XML, to affect so many different products."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts