Microsoft plans to patch critical under-attack IE bug next week
Will ship four updates for Windows XP in second-to-last round of patches for the aged OS
Computerworld - Microsoft today announced it will deliver five security updates to customers next week, two tagged as "critical," including one that will quash the open vulnerability in Internet Explorer (IE) that hackers have been exploiting since January.
Four of the five updates will affect Windows XP, the nearly-13-year-old operating system that Microsoft plans to retire from patch support on April 8. After next week's Patch Tuesday, Microsoft has just one more chance to fix flaws in the aged OS before it pulls the plug.
One of the two critical updates patches all versions of IE, including the even-older-than-XP IE6, as well as the newest IE11, which runs only on Windows 7, Windows 8 and Windows 8.1.
On the client editions of Windows, the IE fix -- dubbed "Bulletin 1" in today's advance notification -- was rated critical, Microsoft's most serious threat rating, for all versions of the browser.
Two weeks ago, Microsoft confirmed at least one vulnerability in IE9 and IE10 after security company FireEye found attacks targeting current and former U.S. military personnel who visited the Veterans of Foreign Wars (VFW) website. Another security vendor, Websense, reported that it had found an exploit leveraging the same IE bug on the website of a French aerospace association, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), whose members include defense and space contractors.
Websense cited evidence that exploits had been in circulation as early as Jan. 20, 2014.
Later, Aviv Raff, chief technology officer at security firm Seculert, contended that the attacks uncovered by FireEye and Websense were the work of two hacker groups.
Although Microsoft today continued to characterize the attacks as limited in scope, Symantec begged to differ last week. The California antivirus vendor said its telemetry showed that attacks against IE were "expanding to attack average Internet users" at the time.
Three other Windows updates will affect XP, one rated critical and the other pegged as "important" on Microsoft's four-step scoring system. Bulletin 2, the update marked critical, could be used by attackers to hijack a PC running any flavor of Windows, including XP, except for Windows RT, the scaled-back touch-first sibling that powers Microsoft's Surface RT and Surface 2 tablets.
The updates for Windows XP, including the one for IE6, IE7 and IE8, the browsers that run on the aged platform, will likely get much of the attention next week as XP will then be just one month from retirement. After April 8, Microsoft will not ship patches for known XP vulnerabilities, even critical flaws, to the general public. It will, however, provide critical updates to major customers who have paid for an extra-extended form of support, which costs about $200 per PC for the first year of coverage, then climbs each additional year.
Microsoft has invested significant messaging resources in urging customers to abandon XP for a newer OS, including a misguided appeal to the more technically-astute to help friends and family ditch XP.
So far, the Redmond, Wash. company's efforts have not paid off as it had hoped: Metrics company Net Applications said earlier this week that XP powered 29.5% of the world's personal computers in February.
The two remaining Windows updates were rated important by Microsoft, which said that one could be used by hackers to obtain additional access rights while the other could be exploited to bypass an unnamed security feature or technology within the operating system.
The fifth update, also judged important, will patch Silverlight 5, a Microsoft-made framework that once tried to take on Adobe Flash in the market and on the Web.
Silverlight 5 is the most-recent version of the framework and its multimedia player plug-in, released in late 2011. Microsoft has committed to supporting Silverlight through 2021, but has stopped further development on the technology, which remains important on Windows Phone if little else.
Microsoft will release next week's security updates on March 11 around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Microsoft again writes off Surface inventory, renews profitability doubts
- 'Nadella Effect' makes Ballmer $2.8B richer
- Microsoft reveals bankruptcy of devices strategy by dumping Nokia feature phones
- Microsoft may drag out layoffs for a year
- Surface survives Microsoft cuts, but tablet strategy remains muddled
- As it lays off workers, Microsoft also kills its low-end Nokia X smartphones
- How Microsoft announces layoffs will show the company's PR IQ
- Why Microsoft isn't spooked by the Apple-IBM alliance
- Microsoft boosts OneDrive storage to free terabyte
- Microsoft plans price war to stymie Chromebook growth
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Malware and Vulnerabilities White Papers | Webcasts