Microsoft lines up critical Windows, Office and IE fixes for next week
Year's update total will be 28% higher than 2012's
Computerworld - Microsoft today said it will ship 11 security updates next week to patch critical vulnerabilities in Windows, Internet Explorer (IE), Office and Exchange, including one meant to stymie active attacks the company confirmed a month ago.
With the 11 slated for release on Dec. 10, Microsoft's update tally for the year will reach 106, tying the record from 2010 and representing a 28% increase over 2012.
Five of the updates outlined in today's Patch Tuesday advance notification will be marked "critical," the top ranking in Microsoft's scoring system; the remaining six will be labeled "important," one step down in severity.
"IE is the 'of course patch first' update," said Andrew Storms, director of DevOps at San Francisco-based security company CloudPassage.
The critical IE update will affect all currently-supported versions of Microsoft's browser, from the aging IE6 to the just released IE11. The upcoming update means that Microsoft will have patched IE every month of 2013, a feat impossible prior to July 2012, when the Redmond, Wash. company applied fixes only on alternating months.
Microsoft will be forced to support the half-dozen flavors of IE through at least April, when it will finally retire IE6, the oft-derided browser that debuted more than 12 years ago.
"Talk about legacy costs," said Storms in an instant message interview Thursday. "We think about the operational costs for IT departments to manage and maintain X number of old systems, [but] imagine Microsoft having to do the same for all their customers."
Another critical update will patch one or more flaws in a combination of Windows and Office editions to shut down ongoing attacks reported to Microsoft by McAfee researchers in early November. Microsoft issued a security advisory on Nov. 5 that described the threat and offered a temporary fix.
Two of the remaining three critical updates will affect Windows, while the third will patch Exchange, the business-critical email server software that most businesses rely on for delivering messages.
Storms recommended that Microsoft's customers immediately install the critical Windows updates, but hedged on the one for Exchange.
On one hand, the criticality of the Exchange update would seem to demand attention. But Storms pointed out that the decision may be tougher than at first glance, since IT staffs are often short-handed at the end of the year and leery of breaking email at any time.
"Taking the risk of patching and rebooting Exchange at the end of the year will surely create a lot of opinions inside meeting rooms," said Storms, referring to discussions that will take place next week about whether to patch the email servers.
"If we get lucky, [the Exchange vulnerability] will be in Oracle's Outside In, and there will be an easy mitigation," Storms added.
Exchange relies on Outside In libraries to display file attachments in a browser rather than open them in a locally-stored application, like Microsoft Word. Microsoft has patched those libraries repeatedly, twice this year -- most recently in August -- and also twice in 2012.
Outside In was included in Oracle's October patch collection, making it almost certain that the Exchange update will address that technology's latest bugs. "Given Microsoft's time to test patches, the timing of this does match up," agreed Storms in a final instant message.
The six updates marked important will patch vulnerabilities in Windows, Office 2010 and Office 2013, SharePoint Server and Visual Studio Team Foundation Server 2013. If the updates are not deployed, criminals may be able to infect PCs with malware, steal information, acquire additional privileges that would let them run more threatening attacks, or bypass security features.
Microsoft will release next week's security updates on Dec. 10 around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts