Microsoft patches critical IE9, Windows bugs
Fixes 34 flaws, including multiple 'drive-by' vulnerabilities, in host of products
Computerworld - Microsoft today patched 34 vulnerabilities in Windows, Internet Explorer (IE), Office and other software, 15 of them labeled "critical" by the company.
The large number of updates -- as well as the fact that Microsoft issued them two hours later than usual -- will put pressure on enterprise administrators, one expert said.
"No doubt IT administrators will have to pick and choose where to act first," said Wolfgang Kandek, chief technology officer for Qualys.
Of the 16 updates, which Microsoft calls bulletins, nine were pegged critical, the most-serious rating in the company's four-step scoring system, while the remaining seven were tagged "important," the next-most-dangerous category.
While the number of bugs patched today was significantly less than the record 64 Microsoft fixed in April, it was the second-highest total for the year. The 16 bulletins were just one off the record, also set last April.
Fifteen of the 34 total vulnerabilities were rated critical, 17 were ranked important, and two were marked as "moderate."
Microsoft picked four of the 16 updates to highlight, and urged customers to roll out the quartet as soon as possible.
"Our top priorities are MS11-050, MS11-052, MS11-043 and MS11-042," Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC), said in an interview earlier today. Bryant listed the four in the order of priority.
Among the deploy-immediately bulletins, MS11-050 offered 11 patches for IE that Microsoft and independent experts pinned to the top of their lists.
"This one is at the top of the list, as it always is when Microsoft patches IE," said Andrew Storms, director of security operations for nCircle Security. "But it's also the first IE9 update, and certainly does look to be true that Microsoft had this bug at the time it launched IE9, or a few days later."
Storms was referring to Microsoft's testing process, which usually lasts two months or more. That timeline would have precluded an IE9 patch in April, the first update scheduled after the browser shipped.
Microsoft habitually patches IE on even-numbered months; the last time it issued a security update for its browser was in April, when it fixed five flaws. Today's, however, was the first critical update for IE9, the browser that Microsoft shipped in mid-March. Four of the 11 patches in MS11-050 affected IE9, said Microsoft.
Nine of the 11 bugs in IE that Microsoft patched today could be exploited by attackers with a "drive-by" attack that requires users to simply visit a malicious Web site.
MS11-052 also affected IE, although Microsoft labeled it as a Windows update.
"The vulnerability is in Windows, but the attack vector is through Internet Explorer," said Bryant. "But IE9 is not affected by this update. [The issue] was addressed before IE9 released..., so that's part of the 'newer is better' message we're getting out to customers," Bryant added.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts