Microsoft preps monster security update for next week
Another expert, Lumension security and forensic analyst Paul Henry, theorized that one of the IE updates might be related to recent vulnerabilities in Oracle's Java. Like other browsers, IE relies on an Oracle-provided plug-in to parse Java code.
"It's possible that this is related to the recent and ongoing Java issues," said Henry in an email Thursday. "Microsoft has a very close relationship with Oracle, so it wouldn't surprise me if these bulletins include Java patches."
Last week, Oracle accelerated the release of its regularly-scheduled security update -- initially slated to ship Feb. 19 -- citing "active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers."
Oracle's early update came in the aftermath of several embarrassing "zero-day" vulnerabilities -- and the emergency patches necessary to quash those bugs -- as well as harsh criticism leveled by security professionals against Oracle for its handling of Java's problems.
Next week's fifth critical update affects Exchange Server 2007 and Exchange Server 2010, the second- and third-most-recent versions of Microsoft's email server software.
While details were absent -- Microsoft's advanced notification is always bare bones -- Storms said the simple fact that the update was judged critical and for Exchange should be enough to raise the antenna of IT pros. "They always concern me because Exchange is the critical business application," said Storms.
A patch failure or compatibility problem in an Exchange update could conceivably knock out a firm's email, with all the resulting chaos that creates among workers, and the conflict between them and IT.
Microsoft will release next week's 12 security updates on Feb. 12 at approximately 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts