Microsoft withholds monster IE update from Windows 8.1 dawdlers
Renounces Windows 8.1's patch privileges unless it has been migrated to April's Update
Computerworld - Microsoft refused to give Windows 8.1 customers a second reprieve, requiring most to have upgraded their devices to April's Windows 8.1 Update before the firm's Windows Update would serve up a mammoth patch slate today.
Tuesday's collection of seven different "bulletins" -- Microsoft's label for its security updates -- included one for Internet Explorer (IE) that contained fixes for a record 59 separate vulnerabilities.
The previous single-bulletin mark was MS11-034, which patched 30 vulnerabilities in April 2011.
Microsoft got a bit defensive about the large number of CVEs on today's slate. "Does a vulnerability make a sound if it never gets exploited?" asked Dustin Childs, a group manager on the Microsoft Security Response Center's blog Tuesday after recounting the total flaws fixed. "When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack. In other words, it doesn't matter if that falling tree makes a noise; we still have an action to take."
To receive the MS14-035 IE update and others released today, consumers and small businesses or organizations -- anyone using Windows Update to obtain patches -- that have devices running October 2012's Windows 8.1 must have applied Windows 8.1 Update (Win8.1U).
Microsoft issued Win8.1U in early April.
Larger customers, enterprises primarily, that rely on WSUS (Windows Server Update Services), Windows Intune or System Center Configuration Manager to obtain and deploy patches, have until August 12 to migrate from Windows 8.1 to Win8.1U.
Initially, Microsoft gave everyone just five weeks to put Windows 8.1 Update in place or face a no-patch future. But it quickly backed off under pressure from corporate customers, and gave them the three-month extension. At the time, Microsoft retained the May 13 deadline for all others.
But just 24 hours before the cutoff, the consumer deadline was extended to June 10.
Today's MS14-035 included 59 individual CVEs (Common Vulnerabilities and Exposures), the individual identifiers for security bugs that are logged into a central database maintained by Mitre with funding from the U.S. Department of Homeland Security.
Of the 59 total CVEs in MS14-035, 21 were applicable to Internet Explorer 8 (IE8), not only the most-used of Microsoft's browsers, but also the newest that runs on the still-defiant Windows XP. The corporate combination of Windows XP- and Windows 7-powered PCs -- businesses shunned the interim Windows Vista and have largely done the same to Windows 8 -- was a major factor in businesses worldwide standardizing on IE8; it was the latest that ran on both operating systems.
Today, Microsoft again urged customers to yank IE8 from Windows 7 in favor of the newest iteration, IE11, which was released alongside Windows 8.1 last October, and for Windows 7 in November. On Microsoft's IE blog, Fred Pullin, a senior product marketing manager, repeated the firm's contention that IE11 is more secure and that its Enterprise Mode, a new compatibility feature that mimics IE8 for legacy websites and Web apps, is a suitable replacement for the real deal.
IE11, however, received 47 patches, more than twice as many as IE8, a number that some will certainly cite to question Pullin's advice that, "If you are using an older browser, upgrade to the latest version and enable automatic updates for more secure browsing."
Windows 8.1 Update can be downloaded and installed on current Windows 8.1 PCs using Windows Update. Win8.1U will appear as an "Important" update and will be labeled as "KB 2919355."
After Win8.1U has been successfully installed, users can manually re-run Windows Update to retrieve today's seven bulletins, including MS14-035.
Ironically, laggards who have remained on Windows 8, the October 2012 original, have until Jan. 12, 2016 to migrate to Windows 8.1 Update before losing their patch privileges.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts