Thread: Microsoft books critical IE, Windows fixes for next week

Microsoft books critical IE, Windows fixes for next week

Schedules 8 updates, but won't patch the latest zero-day bug

By Gregg Keizer
November 7, 2013 04:08 PM ET

Computerworld - Microsoft today said it will deliver eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), as well as others to plug holes in every supported edition of its Office suite.

As expected, the company will not fix a different flaw it revealed earlier this week in Windows, Office and the Lync communications platform.

"This release won't include an update for the issue first described in Security Advisory 2896666," wrote Dustin Childs, a spokesman for the Microsoft Security Response Center (MSRC), in a Thursday blog. The advisory Childs referenced appeared Tuesday.

Of the eight updates on the slate for Nov. 12, three were rated "critical" by Microsoft, while the other five were pegged as "important," the second-most serious ranking in its four-step scoring system.

The critical update that should be patched ASAP is the one aimed at all versions of Internet Explorer (IE), from the aged IE6 -- which will be retired next April -- to the new IE11 on Windows 8.1, one security expert said today.

Andrew Storms, director of DevOps at San Francisco-based CloudPassage, noted that Microsoft has patched IE each month this year, and as he usually does, recommended that users deploy the browser update first. "IE should be first, especially with what else we're looking at this month," said Storms in a Thursday interview. "If the Office updates were critical rather than important, it might be different."

IE often gets the nod as the candidate for the top of the patching list because of its widespread use -- nearly six in every 10 personal computers ran the Microsoft browser in October -- and the fact that critical vulnerabilities can usually be exploited with "drive-by" attacks, those that are triggered when a user steers a browser to a malicious or compromised website.

Microsoft did not list IE11 on Windows 7 as affected for Bulletin 1 -- the placeholder label for that update -- even though the company released the browser on that OS today. Storms assumed that it was not an oversight, but that Microsoft had integrated the fix into the final IE11 code before it shipped.

The remaining pair of critical updates will patch all still-supported versions of Windows, including the soon-to-be-put-out-to-pasture Windows XP and the newest, Windows 8.1.

Storms said that there was, as usual, not enough information in the skeletal-by-design advance notification Microsoft issued today to get a feel for what will be fixed in Windows by Bulletins 2 and 3.

"I highly doubt that the same lines of code in Windows XP or Server 2003 are in Windows 8," said Storms, when asked if the top-to-bottom updates for Windows meant that Microsoft dragged 12 years of legacy code through the operating system. "The code has been rewritten over the years, but the same functionality is there, and that's where the hole will be."

Other security professionals tapped Bulletin 2 as the priority this month. "Of these first three [that are all critical], Bulletin 2 is the most powerful," argued Ken Pickering, director of engineering at CORE Security, in an email. "It affects all listed operating systems across the board, including server core installations."

Pickering was right: Bulletin 2 listed Windows Server 2008, Server 2008 R2 and Server 2012 as all critical when just the Server Core -- a minimal installation that supports only key features that, theoretically, drastically reduce the attack opportunities for hackers -- was deployed.

Two updates targeting Office are also on next week's agenda. Bulletins 4 and 7, both rated important, will patch Office in general and Outlook, Microsoft's email client, specifically. Bulletin 4 will affect every edition of Office, including Office 2003, which is set for retirement alongside Windows XP on April 8, 2014; Office 2007; Office 2010; and the new Office 2013 and its tablet-specific offshoot, Office 2013 RT.

Office 2013 has been patched three times since its January retail debut.

"It looks like Microsoft will have to turn around and do it all again in another month," said Storms, referring to the expectation that the company will have a fix for the just-disclosed zero-day in time for next months' Patch Tuesday. According to Microsoft, that update will affect all versions of Office except for Office 2013.

Including the eight on the docket for next week, Microsoft will have issued 95 update this year, 12 more than 2012's total, and on a pace to break 100 for the first time since 2011 and one that will come close to 2010's record of 106.

Microsoft will release next week's security updates on Nov. 12 around 10 a.m. PT (1 p.m. ET).

http://www.computerworld.com/s/article/9243897/Microsoft_books_critical_IE_Windows_fixes_for_next _week

UPDATES are ready .