Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush

IE is AWOL from the patch list for the second month in a row

Microsoft Thursday said it will issue five security updates next week, two tagged as "critical," to close holes in Windows and the company's Exchange-based Forefront Protection 2010 security software.

Three of the four updates for Windows will affect Windows XP, the 13-year-old operating system that Microsoft plans to retire from patching support on April 8. After next week's Patch Tuesday, Microsoft has just two more rounds of security updates on its schedule before it pulls the plug on the aged OS.

One of the two critical updates -- and the only one that will apply to Windows -- does not even patch XP, according to Microsoft's typically-terse advanced notification published Thursday. Instead "Bulletin 1." as that update was tentatively labeled, will patch Windows 7, 8 and 8.1; Window RT and RT 8.1; and Windows Server 2008 R2, 2012 and 2012 R2. All are among the newer editions from Redmond.

"It's probably a classic [case] of something new added or some new bit of code introduced in newer versions," said Andrew Storms, director of DevOps at CloudPassage, explaining Bulletin 1's impact.

Two other Windows updates do affect XP, but both were rated as "important" on Microsoft's four-step scoring system, a level lower than critical. One could be used by attackers to obtain additional access right while the other could be used to snatch personal data from the compromised PC.

Also rated critical was the update for Forefront Protection 2010, a security and anti-spam program deployed on on-premises Exchange email servers. As usual, Microsoft provided no clues as to what the update will actually patch or where the vulnerability lies, but because Forefront is deployed on company-critical Exchange systems, it should be closely examined next week.

"This one is critical with [remote code execution] on Exchange, which is always going to get a lot of attention," said Storms. "It might just top our list next week, although we'll have to see the attack vector first."

Forefront Protection 2010 was one of a slew of Forefront-named products that Microsoft killed in December 2012. But although it has halted development and sales of Forefront Protection, it has promised to keep patching the program and delivering new signatures -- the fingerprint-like components that identify new malware or spam -- until the end of 2015.

But Storms and other security experts were almost as interested in what Microsoft would not patch next Tuesday as what it said yesterday it would fix.

"I nearly choked on my coffee when I saw no Internet Explorer update this month," said Storms about the omission of any patches for Microsoft's IE browser. "They went for years with at least an update every other month. And then a year of an update every month. Now none for 2 months in a row. Call it the blue moon, the black swan, whatever, but it's strange and a lot of people are wondering what is going on."

Storms dismissed the idea that Microsoft had run out of bugs to fix in IE, which according to Web metrics company Net Applications is used by more of the world's online population than any other, with a user share in January of 58.2%.

The lack of an IE update and the light load -- just five updates, following only four last month -- made him wonder if Microsoft's security and patching teams had taken a long vacation at the end of 2013. If so, it would have been a departure from the norm: In January 2013, Microsoft released 8 updates, with another 12 in February 2013.

Microsoft will have one more chance to patch bugs in IE before the Pwn2Own hacking contest starts next month. Pwn2Own, co-sponsored by Hewlett-Packard and Google, plans to give $100,000 to the first researcher or team able to compromise IE11 on a Windows 8.1-powered PC. An even larger prize of $150,000 awaits the first to hack the same setup when protected by Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a utility that manually enables anti-exploit technologies.

Pwn2Own runs March 12-13, while Microsoft's Patch Tuesday for the month is set for March 11.

Microsoft will release next week's security updates on Feb. 11 around 1 p.m. ET.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is

> >

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingMicrosoftsecurityBullthreeMalware and Vulnerabilities

More about Andrew Corporation (Australia)AppleGoogleHewlett-Packard AustraliaMicrosoftToolkitTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts