Microsoft to issue many Windows patches

Microsoft to issue many Windows patches

Summary: Next Tuesday Microsoft will release nine updates to Windows, Internet Explorer, the .NET Framework, SQL Server and Office. Two updates to Windows and IE are critical.

SHARE:
24

Microsoft has released their advance notification for the August 2014 Patch Tuesday updates. There will be a total of nine updates issued next Tuesday, August 12, two of them rated critical.

Special Feature

Windows 8 in Business

Windows 8 in Business

Microsoft has painted bold design strokes with Windows 8, but the business impact remains hotly debated. ZDNet and TechRepublic have the enterprise and SMB perspectives on Windows 8 covered from virtually every angle.

The two critical bugs affect Windows and Internet Explorer. The critical Windows update affects only business and professional editions of Windows 7 and Windows 8. The Internet Explorer update affects all versions on all supported platforms. The remaining seven updates are rated important and affect Windows, Office, SQL Server, the .NET Framework and SharePoint Server 2013.

Microsoft will also release a new version of the Windows Malicious Software Removal Tool and probably some as-yet undisclosed number of non-security updates to various Windows versions. It has also become popular for other companies, most prominently Adobe, to release security updates for their own products on that day.

As announced earlier this week, Microsoft will also be releasing a change to Internet Explorer on Tuesday that will cause it to warn users when the browser attempts to load an ActiveX control which is on a Microsoft-maintained list of old and out-of-date controls. Initially, the list will contain only old Java versions.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • Blog stuffing...

    Bloggers like Larry must be HAPPY about Microsofts patch policy.

    TWICE a month (when the advance notice goes out and when the actual patches are made available) they get to write guaranteed click bait blog-posts!

    Paid per click, this is a real money-maker!
    honeymonster
  • Now THAT is many patches!

    Microsofts patch set for the month (august patches) consists of 9 patches for across products such as Internet Explorer, Windows, Office, SQL Server, Server, .NET.

    That's not many patches.

    For the same month, Canonical has issued patches for 80(!) vulnerabilities in Ubuntu Linux, of which more than 12(!) was Linux *kernel* vulnerabilities.

    Now, *that* is many patches. Linux security can best be described as akin to Swiss cheese.
    honeymonster
    • Source?

      “Canonical has issued patches for 80(!) vulnerabilities in Ubuntu Linux, of which more than 12(!) was Linux *kernel* vulnerabilities.”
      daikon
      • The source is Ubuntu security notices

        Find them here: http://www.ubuntu.com/usn/

        The CVE numbers to the 80 in July is: CVE-2014-5033, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0012, CVE-2014-1402, CVE-2014-4607, CVE-2014-1730, CVE-2014-1731, CVE-2014-1735, CVE-2014-1740, CVE-2014-1741, CVE-2014-1742, CVE-2014-1743, CVE-2014-1744, CVE-2014-1746, CVE-2014-1748, CVE-2014-3152, CVE-2014-3154, CVE-2014-3155,
        CVE-2014-3157, CVE-2014-3160, CVE-2014-3162, CVE-2014-3803, CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-1544, CVE-2014-1547, CVE-2014-1549, CVE-2014-1550, CVE-2014-1552, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-1558, CVE-2014-1559, CVE-2014-1560, CVE-2014-1548
        , CVE-2014-1561, CVE-2014-1419, CVE-2014-3467, CVE-2014-3468, CVE-2014-3469, CVE-2014-3537, CVE-2014-3230, CVE-2014-2494, CVE-2014-4207, CVE-2014-4258, CVE-2014-4260, CVE-2014-4943, CVE-2014-1739, CVE-2014-3144, CVE-2014-3145, CVE-2014-3940, CVE-2014-4608, CVE-2014-4611, CVE-2014-0131, CVE-2014-391
        7, CVE-2014-4014, CVE-2014-4027, CVE-2014-4699, CVE-2014-3985, CVE-2014-4909, CVE-2013-7345, CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3538, CVE-2014-3515, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721, CVE-2014-3477, CVE-2014-3532, CVE-2014-3533, CVE-2014-15
        45

        The 12 CVEs labeled (by Canonical themselves) as *kernel* vulnerabilities: CVE-2014-4943, CVE-2014-1739, CVE-2014-3144, CVE-2014-3145, CVE-2014-3940, CVE-2014-4608, CVE-2014-4611, CVE-2014-0131, CVE-2014-3917, CVE-2014-4014, CVE-2014-4027, CVE-2014-4699

        Some of the others are clearly also kernel vulns - although not labeled as such.
        honeymonster
        • Now, now

          Now, now, @honeymonster, let's not start confusing the argument with actual facts ... ;)
          bitcrazed
          • Facts, yes

            Relevance to the article, none.

            Having said this, I believe that it would be appropriate for ZDNet to pick a single Linux distro amongst RHEL, CentOS, SUSE, Oracle Enterprise Linux, Debian or Ubuntu and cover security vulnerabilities and patches as it does for Microsoft Windows. This approach would have far more legitimacy than honeymonster having a nervous breakdown. And it would also even the playing field.

            Are you game Mr. Seltzer?
            Rabid Howler Monkey
    • The Microsoft patches are for a few products...

      Windows itself (5), IE, Office, Microsoft SQL Server, .net - with some overlap there.

      The Canonical patches cover several hundred optional features available, from various database systems, many languages, development tools, desktop systems, server systems, different office processing options ...

      There is a LOT more software available for a base.

      Come back when you have added all of the MS products for Windows, and all of the patches for them as well.

      And that is not comparable to the list of MS patches.
      jessepollard
      • Wrong, Jesse

        The monthly patches is for *all* Microsoft software. That e.g. Exchange Server is not patched this month simply means that it is a 0 (zero). Had they discovered a vuln and issued a patch for it, it would have been counted here as well.

        But as you write yourself, only 5 of the patches were for Windows itself. In the same timeframe Canonical has issued 12 patches for Linux *kernel* vulnerabilities.

        Need I remind you that the kernel is only a fraction of a modern OS. Patches labeled as "Windows" includes patches for kernel vulnerabilities, but also for other core parts of the operating system, such as the graphics shell, file server, IIS server, hyper-v, rdp, utility programs such as windows explorer, editors, messaging, etc.

        The Linux *kernel* does not include the equivalent of the graphic shell (that would be X + KDE/Gnome), file server, IIS server (equivalent would be Apache + Tomcat), Hyper-V.

        So Linux kernel had more vulnerabilities patched across a *significantly* smaller attach surface.

        Swiss Cheese Linux kernel.
        honeymonster
        • Kudos to Canonical and all the developers

          for patching ALL software one could possible install on a system.

          Thank you, honeymonster for highlighting Canonical's outstanding commitment for providing the best service to it's customers.

          Kudos again to Canonical.
          daikon
          • The bloody well HAVE to

            Linux dependency hell has created a situation where not just each distribution but each *version* of each distribution needs to have all software compiled specifically for that version.

            Stray off from that *version* and *distro* specific repository and you are knee-deep in dependency hell - probably bricking your system beyond repair if you install software with incompatible versions of common libraries.

            The "repository" solution has all but guaranteed that hundreds or thousands of compilations need to exist for one piece of software. Creators of software would *never* accept to take responsibility for compatibility with so many versions. Hence, the distributions need to pick up that ball if they want the software to be available for their distro.

            Yes, repositories are nice as long as they are maintained. But when they are not, you have better upgrade your ENTIRE OS to a version with a supported repository.

            Meanwhile, Windows allows side-by-side existence of DLLs (no more DLL hell since Vista), ensuring perfect binary compatibility, both backwards compatibility and forwards compatibility. Much easier for vendors to work with. They just need to create one single version and maintain that.
            honeymonster
          • .....Linux dependency hell.......

            Please tell us more about this "Linux dependency hell". In over 6 yrs of using Ubuntu, Slackware, and Puppy Linux based distros for 90% of our computing needs we have not experienced any "Hell" of any kind. Certainly no more difficult for us to maintain than the various Windows versions (XP, Vista, Windows 7) over the same time period.

            For us it just works. As usual your mileage may vary......
            tietchen
          • The only time I ran into that

            was when I was beta testing, it happened occasionally. It didn't even happen all that often then. Dependency Hell is vastly overstated.
            Michael Alan Goff
          • No DLL Hell since Vista? Think again...

            http://www.drdobbs.com/windows/no-end-to-dll-hell/227300037
            jasonp@...
    • not an apples to apples comparison

      honeymonster,

      I really hope you're trolling. Comparing patches to number of vulnerabilities isn't an accurate comparison. In my mind it's akin to saying watermelons are better (or worse) than chickens, because they have more seeds, and a hen can only lay an egg a day.

      Different organisations report security vulnerabilities in different manners. Some don't create CVEs for internally discovered vulnerabilities some bundle vulnerabilities into the same CVE, and the list goes on.

      If you're interested in vulnerability stats take a look at the below presentation. These guys deal with vulnerabilties all day, everyday for a living.

      Quick 4 minute video - https://www.youtube.com/watch?v=R7fl8COVJ1I
      The full presentation given at blackhat last year - http://attrition.org/security/conferences/2013-07-BlackHat-Vuln_Stats-draft_22-Published.pptx
      altonius
  • That's rather strange

    I received three updates last week alone. OK, they were all for Windows Defender, but I received three of them on three different days!

    I believe they should push out patches as they become available, and damn the schedule! If it's ready, put it out there, especially in these days of zero day attacks.
    bart001fr
    • Updates to Windows defender are not patches

      to vulnerabilities. A vulnerability is an error which can be used by an attacker to gain privileges, execute code, bypass security barriers etc.

      Windows defender updates do not close or patch vulnerabilities. Rather, they are updates to pattern recognition engine which protects you from both software you may download yourself as well as malicious software exploiting a 3rd party software to gain access to your system.

      Windows defender is part of the defense in-depth strategy of Windows which starts at the network interface (firewall closing port, only allowing authenticated traffic, over running services with low-privilege accounts, under service hardening, over the industry's most advanced anti-exploit mitigations all the way to mandatory integrity and proper process security with real tokens (and not just stupid uids with unrestricted "God" accounts).

      Windows Defender is but the last line of defense in a multi-layer in-depth defense.
      honeymonster
      • @honeymonster, please get help

        honeymonster wrote:
        "Updates to Windows defender are not patches
        to vulnerabilities. A vulnerability is an error which can be used by an attacker to gain privileges, execute code, bypass security barriers etc."

        Here's two recent Microsoft Security Advisories for Windows Defender:

        "Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service"
        Published: June 17, 2014
        https://technet.microsoft.com/en-us/library/security/2974294.aspx

        "Vulnerability in Windows Defender Could Allow Elevation of Privilege"
        Published: July 09, 2013
        https://technet.microsoft.com/en-us/library/security/ms13-058.aspx

        Both vulnerabilities were patched. Note that the 2nd listed vulnerability involved elevation of privilege. There are more vulnerabilities for Windows Defender if you bother to look.

        And just so the ZDNet Windows nut jobs don't think I'm picking on Microsoft:

        "Serious security issues affect 14 of 17 major antivirus engines"
        July 30th, 2014
        http://securityaffairs.co/wordpress/27165/hacking/serious-flaws-antivirus-engines.html
        Rabid Howler Monkey
        • Missing the point

          There will be several updates to Windows Defender, through the update mechanism, that aren't patching vulnerabilities. Those are the ones that he got, not actual vulnerability patches.
          Michael Alan Goff
          • Nope

            You missed the point.
            Rabid Howler Monkey
          • What point?

            That there are vulnerabilities patched at times? No, I didn't miss that. I missed how those two links would have anything to do with the "three updates in the past week" that the guy was talking about.

            You want to bash Microsoft so bad you don't even use logic.
            Michael Alan Goff