Microsoft books critical IE, Windows fixes for next week
Schedules 8 updates, but won't patch the latest zero-day bug
Computerworld - Microsoft today said it will deliver eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), as well as others to plug holes in every supported edition of its Office suite.
As expected, the company will not fix a different flaw it revealed earlier this week in Windows, Office and the Lync communications platform.
"This release won't include an update for the issue first described in Security Advisory 2896666," wrote Dustin Childs, a spokesman for the Microsoft Security Response Center (MSRC), in a Thursday blog. The advisory Childs referenced appeared Tuesday.
Of the eight updates on the slate for Nov. 12, three were rated "critical" by Microsoft, while the other five were pegged as "important," the second-most serious ranking in its four-step scoring system.
The critical update that should be patched ASAP is the one aimed at all versions of Internet Explorer (IE), from the aged IE6 -- which will be retired next April -- to the new IE11 on Windows 8.1, one security expert said today.
Andrew Storms, director of DevOps at San Francisco-based CloudPassage, noted that Microsoft has patched IE each month this year, and as he usually does, recommended that users deploy the browser update first. "IE should be first, especially with what else we're looking at this month," said Storms in a Thursday interview. "If the Office updates were critical rather than important, it might be different."
IE often gets the nod as the candidate for the top of the patching list because of its widespread use -- nearly six in every 10 personal computers ran the Microsoft browser in October -- and the fact that critical vulnerabilities can usually be exploited with "drive-by" attacks, those that are triggered when a user steers a browser to a malicious or compromised website.
Microsoft did not list IE11 on Windows 7 as affected for Bulletin 1 -- the placeholder label for that update -- even though the company released the browser on that OS today. Storms assumed that it was not an oversight, but that Microsoft had integrated the fix into the final IE11 code before it shipped.
The remaining pair of critical updates will patch all still-supported versions of Windows, including the soon-to-be-put-out-to-pasture Windows XP and the newest, Windows 8.1.
Storms said that there was, as usual, not enough information in the skeletal-by-design advance notification Microsoft issued today to get a feel for what will be fixed in Windows by Bulletins 2 and 3.
"I highly doubt that the same lines of code in Windows XP or Server 2003 are in Windows 8," said Storms, when asked if the top-to-bottom updates for Windows meant that Microsoft dragged 12 years of legacy code through the operating system. "The code has been rewritten over the years, but the same functionality is there, and that's where the hole will be."
Other security professionals tapped Bulletin 2 as the priority this month. "Of these first three [that are all critical], Bulletin 2 is the most powerful," argued Tommy Chin, technical support engineer at Core Security, in an email. "It affects all listed operating systems across the board, including server core installations."
Chin was right: Bulletin 2 listed Windows Server 2008, Server 2008 R2 and Server 2012 as all critical when just the Server Core -- a minimal installation that supports only key features that, theoretically, drastically reduce the attack opportunities for hackers -- was deployed.
Two updates targeting Office are also on next week's agenda. Bulletins 4 and 7, both rated important, will patch Office in general and Outlook, Microsoft's email client, specifically. Bulletin 4 will affect every edition of Office, including Office 2003, which is set for retirement alongside Windows XP on April 8, 2014; Office 2007; Office 2010; and the new Office 2013 and its tablet-specific offshoot, Office 2013 RT.
Office 2013 has been patched three times since its January retail debut.
"It looks like Microsoft will have to turn around and do it all again in another month," said Storms, referring to the expectation that the company will have a fix for the just-disclosed zero-day in time for next months' Patch Tuesday. According to Microsoft, that update will affect all versions of Office except for Office 2013.
Including the eight on the docket for next week, Microsoft will have issued 95 update this year, 12 more than 2012's total, and on a pace to break 100 for the first time since 2011 and one that will come close to 2010's record of 106.
Microsoft will release next week's security updates on Nov. 12 around 10 a.m. PT (1 p.m. ET).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts