Microsoft books critical IE, Windows fixes for next week

Schedules 8 updates, but won't patch the latest zero-day bug

Microsoft today said it will deliver eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), as well as others to plug holes in every supported edition of its Office suite.

As expected, the company will not fix a different flaw it revealed earlier this week in Windows, Office and the Lync communications platform.

"This release won't include an update for the issue first described in Security Advisory 2896666," wrote Dustin Childs, a spokesman for the Microsoft Security Response Center (MSRC), in a Thursday blog. The advisory Childs referenced appeared Tuesday.

Of the eight updates on the slate for Nov. 12, three were rated "critical" by Microsoft, while the other five were pegged as "important," the second-most serious ranking in its four-step scoring system.

The critical update that should be patched ASAP is the one aimed at all versions of Internet Explorer (IE), from the aged IE6 -- which will be retired next April -- to the new IE11 on Windows 8.1, one security expert said today.

Andrew Storms, director of DevOps at San Francisco-based CloudPassage, noted that Microsoft has patched IE each month this year, and as he usually does, recommended that users deploy the browser update first. "IE should be first, especially with what else we're looking at this month," said Storms in a Thursday interview. "If the Office updates were critical rather than important, it might be different."

IE often gets the nod as the candidate for the top of the patching list because of its widespread use -- nearly six in every 10 personal computers ran the Microsoft browser in October -- and the fact that critical vulnerabilities can usually be exploited with "drive-by" attacks, those that are triggered when a user steers a browser to a malicious or compromised website.

Microsoft did not list IE11 on Windows 7 as affected for Bulletin 1 -- the placeholder label for that update -- even though the company released the browser on that OS today. Storms assumed that it was not an oversight, but that Microsoft had integrated the fix into the final IE11 code before it shipped.

The remaining pair of critical updates will patch all still-supported versions of Windows, including the soon-to-be-put-out-to-pasture Windows XP and the newest, Windows 8.1.

Storms said that there was, as usual, not enough information in the skeletal-by-design advance notification Microsoft issued today to get a feel for what will be fixed in Windows by Bulletins 2 and 3.

"I highly doubt that the same lines of code in Windows XP or Server 2003 are in Windows 8," said Storms, when asked if the top-to-bottom updates for Windows meant that Microsoft dragged 12 years of legacy code through the operating system. "The code has been rewritten over the years, but the same functionality is there, and that's where the hole will be."

Other security professionals tapped Bulletin 2 as the priority this month. "Of these first three [that are all critical], Bulletin 2 is the most powerful," argued Tommy Chin, technical support engineer at Core Security, in an email. "It affects all listed operating systems across the board, including server core installations."

Chin was right: Bulletin 2 listed Windows Server 2008, Server 2008 R2 and Server 2012 as all critical when just the Server Core -- a minimal installation that supports only key features that, theoretically, drastically reduce the attack opportunities for hackers -- was deployed.

Two updates targeting Office are also on next week's agenda. Bulletins 4 and 7, both rated important, will patch Office in general and Outlook, Microsoft's email client, specifically. Bulletin 4 will affect every edition of Office, including Office 2003, which is set for retirement alongside Windows XP on April 8, 2014; Office 2007; Office 2010; and the new Office 2013 and its tablet-specific offshoot, Office 2013 RT.

Office 2013 has been patched three times since its January retail debut.

"It looks like Microsoft will have to turn around and do it all again in another month," said Storms, referring to the expectation that the company will have a fix for the just-disclosed zero-day in time for next months' Patch Tuesday. According to Microsoft, that update will affect all versions of Office except for Office 2013.

Including the eight on the docket for next week, Microsoft will have issued 95 update this year, 12 more than 2012's total, and on a pace to break 100 for the first time since 2011 and one that will come close to 2010's record of 106.

Microsoft will release next week's security updates on Nov. 12 around 10 a.m. PT (1 p.m. ET).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesapplicationsMicrosoftsecurityWindowsbrowserssoftwareoperating systems

More about Andrew Corporation (Australia)AppleGoogleMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place