Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft to clean up after Oracle's patch mess again next week

Gregg Keizer | Aug. 12, 2013
Slates eight security updates for next week, including critical fixes to Exchange likely stemming from Oracle's Outside In technology.

Microsoft will deliver eight security updates next week to patch dangerous vulnerabilities in Internet Explorer (IE) and the business-critical Exchange Server, as well as less-serious bugs in all versions of Windows.

Experts pushed the IE update to the top of their must-do-ASAP lists.

"That's No. 1, nothing trumps an IE update," said Andrew Storms, senior director of DevOps at San Francisco-based CloudPassage. "Browsers are the most targeted applications."

The IE update also got the nod from Wolfgang Kandek, CTO of security vendor Qualys. "This will be the most important bulletin to implement," Kandek wrote in an email. "It affects all versions of IE ranging from IE6 on Windows XP to IE10 on Windows 8 and RT."

Kandek was right: In the advanced notice Microsoft published Thursday, the company pegged the IE update as critical for every still-supported version of its browser, including the newest, IE10, which runs on Windows 7, Windows 8 and Windows RT.

Of the eight updates slated to ship next Tuesday, Microsoft labeled three of them "critical," the company's most severe rating. The remaining five will be tagged "important," the next step down in Microsoft's four-level threat scoring system.

Also critical was the planned update to all versions of Exchange Server, from Exchange 2007 to Exchange 2013, the version rolled out last October.

Some security professionals urged companies to patch Exchange before IE.

"This month is all about the Exchange server," said Tommy Chin, a technical support engineer at CORE Security, in an email. "The remote code execution [vulnerability] within the Exchange server represents a threat to all companies using Exchange to run their e-mail service."

Storms wasn't as concerned about the Exchange update. "I'll bet a ton of money that this is an update to Oracle's Outside In," he said.

Exchange relies on Outside In libraries to display file attachments in a browser rather than open them in a locally-stored application, like Microsoft Word.

Oracle patched Outside In last month, but because its security updates came a week after Microsoft shipped July's Patch Tuesday slate, this will be the Redmond, Wash. developer's first chance to update Exchange.

Microsoft has been forced to patch Exchange several times in the past because of bugs in Oracle's Outside In, most recently in February 2013, but also twice in 2012.

Storms thought Microsoft must be tired of plugging Oracle's holes, especially in Exchange, which as Chin of Core Security pointed out, is mission-critical software in business.

"What if all email suddenly became compromised? For most organizations, this scenario is simply unacceptable due to the sensitive information contained within today's email conversations," Chin said.

"I wouldn't be surprised if Microsoft is looking at a different technology or even writing something in-house," said Storms.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.