Microsoft To Patch 2 Critical Bugs

Microsoft will fix two critical bugs on Patch Tuesday -- but not for Windows 8.1 users who haven't installed the Windows 8.1 Update.
7 Cloud Service Startups To Watch
7 Cloud Service Startups To Watch
(Click image for larger view and slideshow.)

Microsoft will address two critical bugs in this month's Patch Tuesday, including one that affects all currently supported versions of Internet Explorer (IE).

For most users, the update process will be routine. But Windows 8.1 users will not receive the fixes unless they've installed Windows 8.1 Update. If they have, customers will receive the first update under the company's new policy. Microsoft announced last week that instead of releasing new features every few years in large updates, it will increasingly launch new Windows capabilities via monthly updates, just as it already does for security patches.

Microsoft will address nine bugs total. As mentioned, two are marked "Critical," the company's highest designation. Each involves a flaw that could allow an attacker to remotely take control of the user's machine.

[Is Microsoft finally ready to compete in the smartphone race? Read Windows Phone 8.1 Update: 7 Key Facts.]

The first critical vulnerability involves IE versions 6 to 11, and the other involves a graphics-related exploit in Windows that could allow an attacker to con the user into opening a malicious file. Microsoft said the first vulnerability is an urgent issue only for locally installed systems, and a moderate issue for server versions of Windows. The second critical bug, meanwhile, affects only professional and business editions of Windows 7, 8, and 8.1. It does not apply to widely used consumer products such as Windows 7 Home Basic.

In a blog post, Wolfgang Kandek, CTO of security vendor Qualys, said the IE fix should be users' top priority because most cyber-attacks involve web browsers. To help improve IE security, Microsoft's Tuesday package will also modify IE versions 8 to 11, excluding the Modern edition of IE in Windows 8 and 8.1, to block outdated versions of the Java Active X plug-in. According to Microsoft, this change will close holes that attackers often use to trick users into clicking malicious links.

The other fixes are rated "Important." One deals with a remote execution flaw in the Office 2007 version of OneNote, while three others nuke bugs that could allow a user to elevate his credentials and potentially gain unauthorized administrative privileges. Both PC-based versions of Windows and server products are affected.

Kandek noted that attackers might exploit credential-elevation flaws by obtaining stolen credentials that belong to a low-level employee, using these credentials to get basic network access, and then using the flaw to acquire administrator status. From there, the attacker could be able to install malware to take control of the machine.

The remaining updates plug holes that could allow security mechanisms to be bypassed in Windows. Microsoft will begin rolling out the update on Tuesday around 11:00 a.m. PT. To address customer questions, the company will host a webcast Wednesday at the same time. Four of the nine fixes, including the critical one for IE, require that machines be restarted, which could add a few steps to the process for IT admins.

Windows 8.1 users who have not upgraded to Windows 8.1 Update will not receive Tuesday's security improvements. The company will continue to support the original version of Windows 8 until at least the end of 2015, but Windows 8.1 users are a different story. Consumer Win 8.1 customers who haven't installed Update haven't received new security patches since earlier this summer. Business customers originally faced the same deadline, but after hearing complaints, Microsoft gave many of its commercial customers extra time. That grace period expires this month, however.

This Tuesday's bundle is also expected to include feature enhancements for Windows 8.1 Update, including more precise touchpad controls, and expanded Miracast support. Microsoft was originally expected to launch a series of new features in a large "Update 2," but the company said not to expect major Windows 8.1 updates, and that it will launch new features via a continuous upgrade cycle. This change is one of several Microsoft efforts to move customers, many of whom are invested only in older products, to the company's newest platforms. It recently announced, for example, that starting in 2016, IE users will receive security updates only if they're moved to the latest version of the browser available on their particular system.

Rumors also continue to swirl that Microsoft is readying the next version of Windows, which is codenamed "Threshold" and might be called "Windows 9" when it hits the market. "Threshold" is expected to include virtual desktops and a reimagined Start menu, among other improvements. It's not clear clear, however, how the release of a new version of Windows might reconcile with the company's intention to continually push out iterative updates.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today (free registration required).

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.