Microsoft to patch under-attack XML bug next week

Will also issue unexpected update for IE9

Microsoft today confirmed that it will patch a vulnerability in Windows next week that has been exploited by an increasing number of attacks.

Initially, experts wondered whether Microsoft would patch the XML Core Services (MSXML) vulnerability in Windows that it first acknowledged June 12, but failed to fix even as attacks leveraging the flaw steadily ramped up.

"Where's the patch for the XML Core bug?" asked Andrew Storms, director of security operations at nCircle Security, in an interview earlier Thursday. "The MSRC [Microsoft Security Response Center] blog makes no mention of it," noted Storms. "It's unlike them not to call out [an impending patch]."

Storms was not the only security researcher to notice the omission of the MSXML fix on the MSRC blog, but he was the most vocal about it.

"[A fix] for MSXML could be in one of the planned updates," Storms acknowledged, "but if they were going to issue a fix, I think they would say so."

Microsoft later confirmed to Computerworld that it will patch the MSXML vulnerability next Tuesday.

Storms praised the quick turn-around by Microsoft, but stuck to his guns on his criticism of the company's initial decision to keep quiet.

"I do applaud them for the reaction speed," said Storms in a follow-up instant message reply to questions. "But really if they are doing such a good job, again why not tell the world? It would begin to dispel the fears about any active attacks knowing that a patch is just around the corner."

Storms had a point: The Microsoft XML Core Services (MSXML) vulnerability has attracted attention not only from the technology press, which has focused on the quick appearance of attacks exploiting the unpatched bug, but also obviously from hackers.

On Monday, for example, AlienVault Labs reported that a malicious email campaign was trying to dupe recipients into visiting websites where attackers exploited the MSXML. Some of those emails had been aimed at workers in the defense and aerospace industries.

The popular-with-hackers Blackhole exploit toolkit has also recently added attack code targeting the MSXML vulnerability.

Microsoft Thursday said it would ship nine security updates next week, three critical, to patch 16 bugs in Windows, Internet Explorer, Office and several components of its SharePoint enterprise collaboration platform.

Of the nine updates, three were rated "critical" by Microsoft and six as "important," the first- and second-most serious rankings in its threat system. All of the critical updates and one of the half-dozen important ones could be used to hijack Windows PCs, said the company.

What Microsoft dubbed "Bulletin 2" in today's alert also caught researchers' eyes because it will patch one or more vulnerabilities in Internet Explorer 9 (IE9), the newest of the company's still-supported browsers.

"They typically patch IE every other month," said Storms of Microsoft's habitual browser bug fixing during even-numbered months. Four weeks ago, Microsoft patched 13 IE vulnerabilities with the MS12-037 update.

"I think it's fair to say that this will be of high importance," said Storms. "For them to go out of their normal cycle raises the bar."

Other security experts also tagged Bulletin 2 as one to watch next Tuesday when Microsoft issues July's updates.

"Bulletin 2 ... is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months," echoed Wolfgang Kandek, chief technology officer at Qualys, in an email today.

Both Storms and Kandek called out Bulletin 1, the critical update that will patch the MSXML vulnerability as the other fix likely to rise on most enterprise to-do lists. The update impacts every supported version of Windows, from Windows XP to Windows 7 on the client side, and from Server 2003 to Server 2008 R2 on the server end.

Bulletin 3, also labeled as critical, will impact only the client versions -- Windows XP, Vista and Windows 7 -- but could also make it onto lists next week.

"Bulletins 1 and 3 are critical bulletins that could result in full compromise [of] systems without user interaction ... so they should be attention-grabbers," said Marcus Carey, a security researcher with Rapid7, in a Thursday email.

Other bulletins will patch bugs in Office 2003 through Office 2010 on Windows, Office 2011 on the Mac, SharePoint Server 2007 and 2010, Office Web Apps 2010, and InfoPath 2007 and 2010.

InfoPath is an electronic form-creation and form-submission product.

"The update for SharePoint Server does raise some concerns, because if you were to take it down for patching or it fails afterward, there goes your enterprise collaboration system," said Storms. "It's as much a core component of many enterprises as Exchange."

Next week will also be the first time that Microsoft uses beefed-up encryption for Windows Update and a strengthened communications channel between its update servers and customers' PCs and servers, Kandek observed.

The changes were part of Microsoft's answer to the Flame espionage malware, and the discovery that Flame had found the "Holy Grail" of hacks by subverting Windows Update. Microsoft's response was to turn its certificate-generation process upside down and revamp how it secures Windows updates.

Although Microsoft initially said it would begin rolling out the Windows Update modifications before June's Patch Tuesday, it reconsidered and delayed the changes until users had a chance to obtain the months' 26 fixes.

Storms and other security experts had called on Microsoft to do just that, worried that if the Windows Update update failed or caused secondary problems, users would be vulnerable to attack because their PCs could not automatically download and install future patches.

Microsoft will release the nine updates at approximately 1 p.m. Eastern time on July 10.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to or subscribe to Gregg's RSS feed .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts