Microsoft today said it will deliver eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), as well as others to plug holes in every supported edition of its Office suite.
As expected, the company will not fix a different flaw it revealed earlier this week in Windows, Office and the Lync communications platform.
"This release won't include an update for the issue first described in Security Advisory 2896666," wrote Dustin Childs, a spokesman for the Microsoft Security Response Center (MSRC), in a Thursday blog. The advisory Childs referenced appeared Tuesday.
Of the eight updates on the slate for Nov. 12, three were rated "critical" by Microsoft, while the other five were pegged as "important," the second-most serious ranking in its four-step scoring system.
The critical update that should be patched ASAP is the one aimed at all versions of Internet Explorer (IE), from the aged IE6 -- which will be retired next April -- to the new IE11 on Windows 8.1, one security expert said today.
Andrew Storms, director of DevOps at San Francisco-based CloudPassage, noted that Microsoft has patched IE each month this year, and as he usually does, recommended that users deploy the browser update first. "IE should be first, especially with what else we're looking at this month," said Storms in a Thursday interview. "If the Office updates were critical rather than important, it might be different."
IE often gets the nod as the candidate for the top of the patching list because of its widespread use -- nearly six in every 10 personal computers ran the Microsoft browser in October -- and the fact that critical vulnerabilities can usually be exploited with "drive-by" attacks, those that are triggered when a user steers a browser to a malicious or compromised website.
Microsoft did not list IE11 on Windows 7 as affected for Bulletin 1 -- the placeholder label for that update -- even though the company released the browser on that OS today. Storms assumed that it was not an oversight, but that Microsoft had integrated the fix into the final IE11 code before it shipped.
The remaining pair of critical updates will patch all still-supported versions of Windows, including the soon-to-be-put-out-to-pasture Windows XP and the newest, Windows 8.1.
Storms said that there was, as usual, not enough information in the skeletal-by-design advance notification Microsoft issued today to get a feel for what will be fixed in Windows by Bulletins 2 and 3.
"I highly doubt that the same lines of code in Windows XP or Server 2003 are in Windows 8," said Storms, when asked if the top-to-bottom updates for Windows meant that Microsoft dragged 12 years of legacy code through the operating system. "The code has been rewritten over the years, but the same functionality is there, and that's where the hole will be."
Other security professionals tapped Bulletin 2 as the priority this month. "Of these first three [that are all critical], Bulletin 2 is the most powerful," argued Tommy Chin, technical support engineer at Core Security, in an email. "It affects all listed operating systems across the board, including server core installations."
Source : Computerworld
No comments