December 8th, 2012
Will fix first bugs in company’s newest browser, again address Windows 8 and Windows RT flaws
Microsoft today announced it will deliver seven security updates next week to patch 11 vulnerabilities, including the first that apply to Internet Explorer 10 (IE10), the company’s newest browser.
As it did last month, Microsoft will also patch Windows 8, Windows RT and Windows Server 2012, its new desktop, tablet and server operating systems.
Five of the seven updates will be marked as “critical,” Microsoft’s highest threat ranking, while the remaining pair will be labeled “important,” the Redmond, Wash. developer said in an advance warning published today.
Andrew Storms, director of security operations at nCircle Security, put the IE update atop his tentative to-do list. Others did, too, including Paul Henry, a researcher with Arizona-based Lumension.
In an email Thursday, Henry said that the bugs in IE9 and IE10 — the only versions directly affected — were “use-after-free” memory management vulnerabilities.
By the IE update’s critical label, it’s likely that the bug(s) can be exploited by hackers using “drive-by” attacks, those that execute as soon as an unsuspecting user surfs to a malicious or compromised website.
Although IE9 and IE10 — the latter is the latest in Microsoft’s browser line and so far has shipped in final form only for Windows 8, Windows RT and Server 2012 — will be patched, other still-supported editions will get fixes as well.
“Microsoft is making ‘defense-in-depth’ changes to the other browsers,” said Storms of IE6, IE7 and IE8.
Microsoft has infrequently issued code changes meant to beef up security of a product even though it’s not technically vulnerable to attack.
“The general idea is that the vulnerability is on a new platform, and that during its due diligence, Microsoft found the same [flawed] code in older platforms,” said Storms. “But because they couldn’t actually execute the vulnerability on those [older versions], they’re making changes just in case something in the future is found that can exploit the bug.”
This will be the second month running that Microsoft patches IE: In November, it quashed three critical bugs in IE9. At the time, Storms argued that Microsoft had probably also found one or more of those flaws in IE10, but had managed to fix them before it shipped the browser on Oct. 26.
Other updates will tackle one or more critical vulnerabilities in Windows — including one applicable to Windows 8 and Windows RT; at least one critical bug in Word 2003, 2007 and 2010 on Windows; and some critical flaws in Exchange 2007 and 2010.
That last caught Storms’ eye.
“Exchange is one of the most highly-critical business applications, and it’s not something you want to shut down, especially in December,” Storms said.
But he wasn’t ready to tell companies to pass on the Exchange update. “They may well release some easily-performed mitigations next week,” Storms said, referring to Microsoft’s habit of offering work-arounds to keep software secure until a patch can be applied. “We’ll have to wait and see. This one may have the typical risk-reward equation…. Is it worth the risk to patch or better to leave it alone?”
If companies apply the Exchange update and break their mail systems, especially during a very busy time of the year for retailers, it could be chaos.
Henry, who regularly talks with Microsoft after they’ve issued their advance notification, said that the Exchange update will address new vulnerabilities in the Outside In code libraries that Microsoft licenses from Oracle.
Exchange uses the libraries to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. In the past, Outside In bugs have resided within the Exchange code base that parses those attachments.
Oracle patched two low-threat Outside In bugs in a massive Oct. 16 security update.
If Microsoft ships all seven of the planned updates — occasionally it holds one back at the last minute — the company will have issued 83 security bulletins in 2012, a 17% drop from 2011’s 100 updates, said Storms.
The individual patch count, however, will slip just 5%, with 196 in 2012 compared to 206 the year before.
Microsoft will release the seven updates at approximately 1 p.m. ET on Dec. 11.