Patch Tuesday preview: Get your Windows XP patches while they last
Microsoft plans to plug the zero-day hole that hackers have been exploiting in the aged OS next week
Computerworld - Microsoft today said it will deliver just four security updates next week, none of them marked "critical," to quash vulnerabilities in Windows, Word, SharePoint Server and Dynamics AX, an enterprise-grade release-planning offering from the company's Dynamics suite.
One of the updates will patch Windows XP and Windows Server 2003 to stymie attacks that Microsoft acknowledged in November when it issued a security advisory. Just hours earlier, security firm FireEye had publicized the attacks, which researchers said combined exploits of the Windows elevation-of-privilege flaw with another that leveraged a more serious bug in older versions of Adobe Reader.
"Bulletin 2 should be at the top of the list," said Andrew Storms, director of DevOps at CloudPassage, in an interview Thursday, referring to the update that will patch XP and Server 2003. "It's related to a known zero-day, and we've already seen an advisory from Microsoft. That might change next week when we see the details of the other bulletins, of course."
Others, including Russ Ernst, director of product management at Lumension, also recommended that people who still rely on XP or Server 2003 deploy Bulletin 2 first.
Microsoft will ship its final security updates for XP on April 8, a date it's tried to hammer home as it urges customers to dump the aged operating system. Many, however, have procrastinated or simply refused to leave behind the 13-year-old XP. According to the latest statistics from analytics firm Net Applications, XP will still power around one-fourth of the world's personal computers at the end of April, leaving millions of machines adrift without fixes for flaws.
The other three bulletins -- like Bulletin 2, marked "important" -- will address vulnerabilities in Word 2003 through Word 2013, SharePoint Server 2010 and 2013, and multiple versions of Dynamics AX, Microsoft said in its monthly pre-Patch Tuesday advance notification.
"I recommend patching Bulletin 1 as soon as possible," said Tommy Chin, a technical support engineer with CORE Security, in an email Thursday.
Microsoft identified Bulletin 1, which will patch Word and SharePoint Server, as the only one of the quartet labeled "remote code execution," which indicated that attackers could exploit it to compromise a PC or server, then plant malware on the system.
Among the versions of Word to be patched by Bulletin 1 was Word 2003, part of the Office 2003 suite, which is also slated for retirement April 8.
But the low update count for January was almost as much news to Storms as the planned fixes. "There's no IE [Internet Explorer] update and no critical updates, so the term 'light month' is apropos," said Storms. "I look it as a kind of gift from Microsoft, a great time to catch up on patching."
In December, Microsoft delivered 11 security updates, pushing 2013 into a tie with 2010 for the record of most in one year. The company also patched its IE browser in each month of 2013.
Microsoft also called out several non-security updates it plans to ship next Tuesday, including eight restricted to Windows 8, Windows 8.1, Windows RT and Windows RT 8.1. But it did not list a firmware update for the Surface Pro 2 tablet that owners have been clamoring for since Dec. 10, when a flawed update caused a litany of power management problems.
The company's technical support representatives have told numerous customers that the firmware update fix will be released Jan. 14.
Microsoft will release next week's security updates on Jan. 14 around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- How Microsoft's CEO sees growth for Windows Phone and Lumia
- Microsoft wants you to forget Windows 8
- Microsoft again writes off Surface inventory, renews profitability doubts
- 'Nadella Effect' makes Ballmer $2.8B richer
- Microsoft reveals bankruptcy of devices strategy by dumping Nokia feature phones
- Microsoft may drag out layoffs for a year
- Surface survives Microsoft cuts, but tablet strategy remains muddled
- As it lays off workers, Microsoft also kills its low-end Nokia X smartphones
- How Microsoft announces layoffs will show the company's PR IQ
- Why Microsoft isn't spooked by the Apple-IBM alliance
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts