Microsoft said it will address security vulnerabilities in Internet Explorer, Windows and Office next week when it plans to issue eight security bulletins as part of its monthly Patch Tuesday round of updates.
The November 2013 Advance Notification indicates three critical bulletins that address remote code execution flaws in the browser and Windows. The updates impact all versions of Internet Explorer running on all supported versions of Windows, including Windows RT and Windows 8.1, the software maker's latest operating systems.
The other security updates, which also impact Windows and Office, are rated important and address coding errors that could expose information and flaws that could be used to cause a system to crash.
Browser updates are a common occurrence for Microsoft, and solution providers said that most firms will want to get Internet Explorer patches out quickly. Other updates should be thoroughly tested to ensure that critical applications don't fail when the patches are applied, they said.
Keeping up with security updates can be a nightmare for organizations, said Rob Kraus, director of research at managed security services provider Solutionary. Microsoft's regularly scheduled updates help patching administrators plan for system updates, Kraus said.
"Automatic updates are good for home users but applying patches without testing them can be detrimental to legacy software that rely on libraries within the operating system that are very particular," Kraus told CRN. "An update can cause an old function to become deprecated, or an underlying component can be updated with a new feature causing legacy software to crash."
Microsoft said it would not address a Windows Vista zero-day vulnerability being actively targeted by cybercriminals. Solution providers told CRN this week that the fact that the threat is limited to the Middle East and South Asia makes it less of a risk for U.S.-based business users. Most businesses are either using Windows XP or have migrated to Windows 7, said Rick Jordan, director of sales and strategy at Tenet Computer group.
The latest security research indicates that the attacks are being customized to target specific individuals. Jaime Blasco, director of research at security firm AlienVault, found clues that the ongoing attacks targeted Pakistani individuals. Microsoft issued an automated patch that temporarily blocks the rendering of TIFF images on a Windows system while engineers work on developing a permanent patch.
In October, Microsoft addressed two Internet Explorer zero-day vulnerabilities. The repairs were among 26 flaws patched across its product line.
PUBLISHED NOV. 7, 2013