Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft to tackle under-attack Office bug next week

Gregg Keizer | June 7, 2013
It plans to patch 23 vulnerabilities, including 19 in a critical update for all versions of Internet Explorer.

The other three updates -- like Bulletin 5, labeled "important" by Microsoft -- affect Windows. Two of the three, however, are unusual in that while they don't affect Windows XP, the oldest of the client OSes, they will fix flaws in Windows 7, Windows 8 and Windows RT.

If patches aren't deployed to all versions of Windows, they typically apply to the older, not the newer editions. When the opposite happens, Storms said, it's because the vulnerabilities are found in new features or services, or in code that has been completely rewritten, not simply shuffled along from one version to the next.

Microsoft did not reveal whether one of the three Windows updates will patch a flaw in the kernel disclosed two weeks ago by Google security engineer Tavis Ormandy. Ormandy did not report his findings to Microsoft, but instead posted messages to the Full Disclosure security mailing list.

Ross Barrett, senior manager of security engineering at Rapid7, speculated that Bulletin 4 may contain a fix for Ormandy's discovery. "Bulletin 4 ... roughly fits the profile of Ormandy's vulnerability," said Barrett in an email today. "However, there has been a condition that fits that profile, more or less, every month for the past year."

June's Patch Tuesday will mark the year's halfway point: Including next week's five bulletins, Microsoft will have issued 51 updates, 21% more than in the first six months of 2012, but 2% fewer than during the same period in 2011.

Microsoft will release next week's security updates on June 11 around 1 p.m. ET.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.