Microsoft adds critical IE, XP fixes to Tuesday's patch slate
Two more updates boost the total for tomorrow to seven
Computerworld - Microsoft on Monday unexpectedly added two more critical security updates to the list it will deliver tomorrow, including one for all versions of its Internet Explorer (IE) and another that will affect the soon-to-be-retired Windows XP.
"These updates have completed testing and will be included in tomorrow's release," said Dustin Childs, a spokesman for Microsoft's Trustworthy Computing group, in a short addendum to a blog originally published last Thursday.
Then, Microsoft said it would have just five security updates, two critical, that would quash vulnerabilities in Windows and the company's Exchange-based Forefront Protection 2010 security software.
The last-minute addition of two more critical updates, which brought the total to seven, four of them with Microsoft's highest-level threat rating, was unusual, said Andrew Storms, director of DevOps at San Francisco-based CloudPassage. But he took Childs at the latter's word about why the new ones squeezed onto the slate.
"They were probably busy testing the new updates, but hadn't confirmed they were good until this morning," said Storms in an interview conducted using instant messaging.
According to Microsoft's revised advance notification for Tuesday's patches, the two bulletins will address one or more vulnerabilities in IE and one or more in Windows, specifically VBScript (officially known as Visual Basic Scripting Edition), which is packaged with every version of the OS, both client and server. The two bulletins were tagged as "remote code execution," meaning attackers who crafted and delivered exploits against unpatched PCs would be able to hijack a machine and plant malware on it.
Bulletin 1 is now dedicated to IE, Microsoft said, and will update every version, from the soon-to-be-retired IE6 to the newest IE11 on Windows 8.1 and Windows RT 8.1.
Storms and other security experts had noted last week that Microsoft had omitted an IE update for two months running; the sudden appearance of a patch job means that that is no longer true.
"I think that most likely they wanted to get a number of bugs [in IE] fixed this month, but in terms of testing and timing were right on the edge," Storms said, guessing at the reasons why Microsoft first said it had no IE update, then said it did. "It is a little questionable since they did claim to have all those extra testing resources [for IE]. Makes me wonder why it took so long, or what about the timing threw them off the regular cadence."
Most security professionals classify an IE update as the one to deploy first, because of IE's widespread use and the prevalence of browser-based attacks. Storms said that is the case here.
The VBScript update will affect all versions of Windows, but was rated critical on the client editions such as Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1. On the server side, it was tagged as "moderate," two steps below critical on Microsoft's four-level scoring system.
The new Bulletin 2 means that there will be a critical update for Windows XP tomorrow. That's notable because Microsoft plans to stop publicly patching the nearly-13-year-old operating system after April 8.
Storms believes the IE and VBScript updates are connected.
"I suspect the IE and VBScript [updates] are related, because they may have both been delayed together in their testing," Storms said. "Maybe it's just a coincidence. But two bulletins released at the last minute? That seems related in some way to me."
As Storms pointed out, it's rare that Microsoft adds updates at the last minute, although the company has done the opposite a handful of times, yanking one or more just before Patch Tuesday because its engineers found a glitch.
"I suppose this is better than proactively putting them in the [advanced notification] and then having to pull them a few days later," Storms said.
Microsoft will release this month's security updates on Tuesday around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Endpoint Security in Computerworld's Endpoint Security Topic Center.
- SANS: Next-Generation Datacenters = Next-Generation Security This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Mitigating Multiple DDoS Attack Vectors It's time to rethink and refine the enterprise security architecture, so organizations can remain agile and resilient against future threats. Download this infographic...
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Cloud BI in Action: Recorded Webinar of Customer, Kony, Inc. See how Kony, Inc., a leading enterprise mobility company, is using TIBCO Jaspersoft for Amazon Web Services and Redshift to achieve embedded analytics...
- Cloud BI Overview: Jaspersoft for AWS Check out this overview of Jaspersoft for AWS, to easily and affordably build business intelligence solutions as well as embed visualizations and analytics... All Endpoint Security White Papers | Webcasts