Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft to patch IE10 Pwn2Own bugs next week, says security expert

Gregg Keizer | April 5, 2013
Microsoft will ship nine security updates next week, two rated "critical," to patch Internet Explorer, Windows, SharePoint Server, Office Web Apps and the company's anti-malware software in Windows 8 and RT.

Storms hesitated to speculate on the Windows update's focus, noting that there was simply not enough information to make an informed guess. "They haven't changed the format or amount of data in the advanced notification," Storms pointed out. "But to read the tea leaves, we'd have to try to pull out details that just aren't there yet."

None of the seven updates rated as important allow for "remote code execution," a phrase that indicates cybercriminals could exploit the vulnerability to hijack a PC. Instead, they're described by Microsoft as "elevation of privilege," "denial of service" or "information disclosure" bugs.

Some researchers were wary of the total update count. Alex Horan, a senior product manager at CORE Security was one. "I find the sheer volume of patches this month to be noteworthy," he said in an email. "Large numbers of updates lead to more administration and ultimately delays. This can allow critical vulnerabilities to be exploited while less significant concerns simply cloud the security picture."

Storms disagreed. "I'm not entirely concerned on the count," he said. "You have to look at the priorities and the ratings on how critical they are to decide if you need to deploy immediately."

Among the seven important updates are ones aimed at Windows Defender, the anti-malware tool bundled with Windows 8 and Windows RT; SharePoint Server, which was patched last month; and Office Web Apps 2010, the stripped-down, online apps for Excel, PowerPoint, Word and OneNote.

Although security experts, including Storms, have criticized Microsoft for providing too little information about updates to its Modern apps, Storms remained a supporter of the more-informative advance notifications for traditional software.

"There's still value here," he said. "We have the number of updates, what's affected, the criticalities. There's no Exchange update this month, for example, so the Exchange team can take the month off."

Microsoft will issue next week's slate of nine updates on April 9 around 1 p.m. ET.


Previous Page  1  2 

Sign up for MIS Asia eNewsletters.