Microsoft to release seven security updates next week

Microsoft to release seven security updates next week

Summary: Two of the seven are for at least one critical vulnerability. One of these affects an unusually broad collection of products.

SHARE:
28

Microsoft has released their advance prenotification for this month's Patch Tuesday updates. The company will release seven security bulletins and updates. Two of the updates will be for at least one critical vulnerability.

Bulletin one (which will likely be released as MS14-030) is a critical remote code execution Internet Explorer bug, affecting all versions of Internet Explorer, including IE11 in Windows 8.1. Like other such vulnerabilities, all server versions of Windows are affected, but at a lesser level of severity because IE runs, by default, in Enhanced Security Configuration. Server Core versions of Windows Server do not include IE and are not affected.

Bulletin two is unusual in that it affects a broad selection of both Windows and Office products. It is a remote code execution vulnerability and rated critical on all versions of Windows, Server Core included. It is also critical on Microsoft Live Meeting 2007 Console and all versions of Microsoft Lync, but not Lync Server. It is also rated Important for Office 2007 and Office 2010. Office 2013 appears not to be affected.

All the remaining vulnerabilities have a maximum rating of Important. Bulletin three affects only Office 2007 and Microsoft Office Compatibility Pack Service Pack 3.

Bulletins four and five describe information disclosure bugs in Windows and Lync Server respectively. Bulletin six is a denial of service bug in all Windows versions since Vista, and bulletin seven is a "tampering" bug, a type not often described. Windows 7, 8.x and Server 2012 are affected.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • And tonights top story...

    ... Windows XP is STILL DEAD.
    pishaw
    • Dead since Vista SP1.

      It Is Dead Since Vista SP1.
      Rikkrdo
  • This is nothing to worry about

    Let's focus on LD's latest Linux joke instead:

    "Two very serious security issues with linux. Linux has more holes than swiss cheese. Its time to pull support for linux and let the project disband. I'll be calling up clients asking them to shut down any linux boxes they are running because we simply cannot take this kind of risk."

    I'm a big fan of LD, the resident forum clown. He's here to entertain us!
    Smalahove
    • All those eyses supposedly on linux

      and yet nobody sees all the glaring holes...
      hoppmang
    • Thanks for quoting me

      Its always nice to see my fans back up what I have to say.
      Loverock.Davidson
      • You're welcome, but please write more new material too

        We need your jokes, to balance out the serious posts in here.
        Smalahove
      • Comprehension problem???

        He didn't back you up... You are the class clown.
        jessepollard
        • That is not what I got from the post

          I got that he thinks so highly of me and knows I'm right that he is quoting me so that others can see. That is called backing me up.
          Loverock.Davidson
          • Yes, I DO think highly of your skills as a comedian

            That's why I'm a fan. You write in such a way that everybody instantly knows that your posts are not to be taken seriously. But you should write more NEW jokes too.
            Smalahove
          • Regardless...

            He got your attention, and your goat. LOL
            TechNickle
  • Why wait until next week ?

    If Microsoft are aware of security issues including at least one critical why are they waiting until next week ?

    Sounds no different to Apple with the SSL/TLS issue in OS X 10.9.1
    5735guy
    • They try to keep it on schedule

      They need it to be like that on enterprise machines, they need to have predictability.
      Michael Alan Goff
      • Predictability can be created by any indivual or organization

        With GNU/Linux and BSD, one could arbitrarily declare *Nix Patch Tuesday as the 3rd Tuesday of the month. All updates that have accumulated over the last month get applied (or, first, tested by organizations) on ... drum roll ... the 3rd Tuesday of the month.

        The difference is that Microsoft decides for its users which security updates warrant out-of-band patches. And, of course, organizations can opt to apply a workaround in lieu of applying an out-of-band patch and wait for the next Microsoft Patch Tuesday to apply (or begin testing) the updates. With GNU/Linux and BSD, the *Nix sysadmin. CSO and/or CIO can decide which patches need to be applied immediately, rather than waiting for *Nix Patch Tuesday.

        Continuous patching IMO gives individuals and organizations the most flexibility and provides improved security.

        P.S. Some time ago I installed Ubuntu on a used laptop and shipped it to relatives. The patch schedule they ended up using was applying the updates every weekend.
        Rabid Howler Monkey
        • Every weekend?

          And here I'm told Linux doesn't get patched as often as Windows.
          Michael Alan Goff
    • the ratings

      Are typically more just a guide for enterprises so they know which ones to concentrate on first.

      If the security issue was really serious and didn't have a work around then they'd do an out of band release as they do on occasion. Its also based on their monitoring so if they don't see a flaw being exploited then they can stick with the schedule.

      The schedule provides a nice consistency for enterprises and for users srops them getting patch rage from seeing updates all over the place like ob some other platforms and products (like steam - I mean seriously - 4 patches in one week??? Is it really that hard to bundle them up as a weekly/monthly release)
      aesonaus
  • How old is this IE bug?

    "critical remote code execution Internet Explorer bug, affecting all versions of Internet Explorer"

    All supported versions includes IE 8, doesn't it? That means this bug has been exploitable for what, 4 years? Even longer if it exists in old, no longer supported, versions of IE. Of course, we'll never know for sure.

    As Larry has said: "some programs are so critical to society at large that someone needs to step in and make sure they are properly secured." (http://www.zdnet.com/did-open-source-matter-for-heartbleed-7000028378/)

    So Larry, why are you not advocating for someone to step in and make sure Microsoft software is properly secured?
    anothercanuck
    • not sure what your level of knowledge of testing is

      But updates are always capable of adding flaws and thus regression testing is oh so very important.

      Perhaps these bugs are the result of the change to fix the adobe flash flaw, or some other change.

      At least they appear to pick up the issue and fix it.

      I'd like to know how much regression testing was done on the heartbleed fix to ensure it didn't just introduce some other bug to the system.
      aesonaus
      • Which Heartbleed fix are you refering to?

        The quick fix, or the long term solutiuon?

        Oh, didn't know there were 2 fixes?

        The quick fix, that has been updated to almost all systems, is a simple disabling of the heartbeat function where the faulty memcpy call was. Since the heartbeat is optional, and only works if both client and server support it, this was a quick and easy fix. This is what Redhat did with its Openssl 1.0.1e-16 update.

        The long term fix, in Openssl 1.0.1g version, is adding a bounds check to the memcpy call. This fix is still considered unstable, until further testing is complete.

        I don't think there are any regression worries for either of the fixes, and Openssl is in good hands.
        anothercanuck
        • yep

          So good it has had further flaws alongside the 2 kernel level flaws in different Linux distros in the past 2 weeks.

          Not a good time to be trying to tout security on Linux vs Windows - perhaps wait a month (unless more major security flaws for Linux comes out) - or wait for a major bot net to hit the Win XP machines now they aren't being patched.
          aesonaus
          • Yes perhaps you're right

            A month form now, there will have been 4 more IE bugs, 2 Outlook bugs, 3 Office bugs, and 6 Windows bugs.

            Talk to ya in a month.
            anothercanuck