Microsoft To Patch 2 Critical Bugs - InformationWeek
Software // Operating Systems
04:02 PM
Connect Directly

Microsoft To Patch 2 Critical Bugs

Microsoft will fix two critical bugs on Patch Tuesday -- but not for Windows 8.1 users who haven't installed the Windows 8.1 Update.

7 Cloud Service Startups To Watch
7 Cloud Service Startups To Watch
(Click image for larger view and slideshow.)

Microsoft will address two critical bugs in this month's Patch Tuesday, including one that affects all currently supported versions of Internet Explorer (IE).

For most users, the update process will be routine. But Windows 8.1 users will not receive the fixes unless they've installed Windows 8.1 Update. If they have, customers will receive the first update under the company's new policy. Microsoft announced last week that instead of releasing new features every few years in large updates, it will increasingly launch new Windows capabilities via monthly updates, just as it already does for security patches.

Microsoft will address nine bugs total. As mentioned, two are marked "Critical," the company's highest designation. Each involves a flaw that could allow an attacker to remotely take control of the user's machine.

[Is Microsoft finally ready to compete in the smartphone race? Read Windows Phone 8.1 Update: 7 Key Facts.]

The first critical vulnerability involves IE versions 6 to 11, and the other involves a graphics-related exploit in Windows that could allow an attacker to con the user into opening a malicious file. Microsoft said the first vulnerability is an urgent issue only for locally installed systems, and a moderate issue for server versions of Windows. The second critical bug, meanwhile, affects only professional and business editions of Windows 7, 8, and 8.1. It does not apply to widely used consumer products such as Windows 7 Home Basic.

In a blog post, Wolfgang Kandek, CTO of security vendor Qualys, said the IE fix should be users' top priority because most cyber-attacks involve web browsers. To help improve IE security, Microsoft's Tuesday package will also modify IE versions 8 to 11, excluding the Modern edition of IE in Windows 8 and 8.1, to block outdated versions of the Java Active X plug-in. According to Microsoft, this change will close holes that attackers often use to trick users into clicking malicious links.

The other fixes are rated "Important." One deals with a remote execution flaw in the Office 2007 version of OneNote, while three others nuke bugs that could allow a user to elevate his credentials and potentially gain unauthorized administrative privileges. Both PC-based versions of Windows and server products are affected.

Kandek noted that attackers might exploit credential-elevation flaws by obtaining stolen credentials that belong to a low-level employee, using these credentials to get basic network access, and then using the flaw to acquire administrator status. From there, the attacker could be able to install malware to take control of the machine.

The remaining updates plug holes that could allow security mechanisms to be bypassed in Windows. Microsoft will begin rolling out the update on Tuesday around 11:00 a.m. PT. To address customer questions, the company will host a webcast Wednesday at the same time. Four of the nine fixes, including the critical one for IE, require that machines be restarted, which could add a few steps to the process for IT admins.

Windows 8.1 users who have not upgraded to Windows 8.1 Update will not receive Tuesday's security improvements. The company will continue to support the original version of Windows 8 until at least the end of 2015, but Windows 8.1 users are a different story. Consumer Win 8.1 customers who haven't installed Update haven't received new security patches since earlier this summer. Business customers originally faced the same deadline, but after hearing complaints, Microsoft gave many of its commercial customers extra time. That grace period expires this month, however.

This Tuesday's bundle is also expected to include feature enhancements for Windows 8.1 Update, including more precise touchpad controls, and expanded Miracast support. Microsoft was originally expected to launch a series of new features in a large "Update 2," but the company said not to expect major Windows 8.1 updates, and that it will launch new features via a continuous upgrade cycle. This change is one of several Microsoft efforts to move customers, many of whom are invested only in older products, to the company's newest platforms. It recently announced, for example, that starting in 2016, IE users will receive security updates only if they're moved to the latest version of the browser available on their particular system.

Rumors also continue to swirl that Microsoft is readying the next version of Windows, which is codenamed "Threshold" and might be called "Windows 9" when it hits the market. "Threshold" is expected to include virtual desktops and a reimagined Start menu, among other improvements. It's not clear clear, however, how the release of a new version of Windows might reconcile with the company's intention to continually push out iterative updates.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today (free registration required).

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll