Patch Tuesday preview: Get your Windows XP patches while they last
Microsoft plans to plug the zero-day hole that hackers have been exploiting in the aged OS next week
Computerworld - Microsoft today said it will deliver just four security updates next week, none of them marked "critical," to quash vulnerabilities in Windows, Word, SharePoint Server and Dynamics AX, an enterprise-grade release-planning offering from the company's Dynamics suite.
One of the updates will patch Windows XP and Windows Server 2003 to stymie attacks that Microsoft acknowledged in November when it issued a security advisory. Just hours earlier, security firm FireEye had publicized the attacks, which researchers said combined exploits of the Windows elevation-of-privilege flaw with another that leveraged a more serious bug in older versions of Adobe Reader.
"Bulletin 2 should be at the top of the list," said Andrew Storms, director of DevOps at CloudPassage, in an interview Thursday, referring to the update that will patch XP and Server 2003. "It's related to a known zero-day, and we've already seen an advisory from Microsoft. That might change next week when we see the details of the other bulletins, of course."
Others, including Russ Ernst, director of product management at Lumension, also recommended that people who still rely on XP or Server 2003 deploy Bulletin 2 first.
Microsoft will ship its final security updates for XP on April 8, a date it's tried to hammer home as it urges customers to dump the aged operating system. Many, however, have procrastinated or simply refused to leave behind the 13-year-old XP. According to the latest statistics from analytics firm Net Applications, XP will still power around one-fourth of the world's personal computers at the end of April, leaving millions of machines adrift without fixes for flaws.
The other three bulletins -- like Bulletin 2, marked "important" -- will address vulnerabilities in Word 2003 through Word 2013, SharePoint Server 2010 and 2013, and multiple versions of Dynamics AX, Microsoft said in its monthly pre-Patch Tuesday advance notification.
"I recommend patching Bulletin 1 as soon as possible," said Tommy Chin, a technical support engineer with CORE Security, in an email Thursday.
Microsoft identified Bulletin 1, which will patch Word and SharePoint Server, as the only one of the quartet labeled "remote code execution," which indicated that attackers could exploit it to compromise a PC or server, then plant malware on the system.
Among the versions of Word to be patched by Bulletin 1 was Word 2003, part of the Office 2003 suite, which is also slated for retirement April 8.
But the low update count for January was almost as much news to Storms as the planned fixes. "There's no IE [Internet Explorer] update and no critical updates, so the term 'light month' is apropos," said Storms. "I look it as a kind of gift from Microsoft, a great time to catch up on patching."
In December, Microsoft delivered 11 security updates, pushing 2013 into a tie with 2010 for the record of most in one year. The company also patched its IE browser in each month of 2013.
Microsoft also called out several non-security updates it plans to ship next Tuesday, including eight restricted to Windows 8, Windows 8.1, Windows RT and Windows RT 8.1. But it did not list a firmware update for the Surface Pro 2 tablet that owners have been clamoring for since Dec. 10, when a flawed update caused a litany of power management problems.
The company's technical support representatives have told numerous customers that the firmware update fix will be released Jan. 14.
Microsoft will release next week's security updates on Jan. 14 around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Microsoft launches toolset for capturing 'ambient intelligence'
- Microsoft kicks off sales of lower-priced Office subscription in bid for iPad dollars
- At Build, mobility gets a boost with universal Windows apps
- Microsoft gets strategic with its Enterprise Mobility Suite
- Microsoft sketches out final Windows XP security updates for next week
- Microsoft teases touch-first Office for Windows
- Cortana's voice is synthesized in part from an AI character in Halo
- Hell freezes over: Microsoft makes Windows free for some devices
- Windows Phone 8.1 confirmed, with Cortana digital assistant
- Ex-Microsoft employee pleads guilty to trade secret theft
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts