Microsoft today said it will ship 11 security updates next week to patch critical vulnerabilities in Windows, Internet Explorer (IE), Office and Exchange, including one meant to stymie active attacks the company confirmed a month ago.
With the 11 slated for release on December 10, Microsoft's update tally for the year will reach 106, tying the record from 2010 and representing a 28 per cent increase over 2012.
Five of the updates outlined in today's Patch Tuesday advance notification will be marked "critical," the top ranking in Microsoft's scoring system; the remaining six will be labeled "important," one step down in severity.
"IE is the 'of course patch first' update," said Andrew Storms, director of DevOps at San Francisco-based security company CloudPassage.
The critical IE update will affect all currently-supported versions of Microsoft's browser, from the aging IE6 to the just released IE11. The upcoming update means that Microsoft will have patched IE every month of 2013, a feat impossible prior to July 2012, when the Redmond, Wash. company applied fixes only on alternating months.
Microsoft will be forced to support the half-dozen flavors of IE through at least April, when it will finally retire IE6, the oft-derided browser that debuted more than 12 years ago.
"Talk about legacy costs," said Storms in an instant message interview Thursday. "We think about the operational costs for IT departments to manage and maintain X number of old systems, [but] imagine Microsoft having to do the same for all their customers."
Another critical update will patch one or more flaws in a combination of Windows and Office editions to shut down ongoing attacks reported to Microsoft by McAfee researchers in early November. Microsoft issued a security advisory on Nov. 5 that described the threat and offered a temporary fix.
Two of the remaining three critical updates will affect Windows, while the third will patch Exchange, the business-critical email server software that most businesses rely on for delivering messages.
Storms recommended that Microsoft's customers immediately install the critical Windows updates, but hedged on the one for Exchange.
On one hand, the criticality of the Exchange update would seem to demand attention. But Storms pointed out that the decision may be tougher than at first glance, since IT staffs are often short-handed at the end of the year and leery of breaking email at any time.
"Taking the risk of patching and rebooting Exchange at the end of the year will surely create a lot of opinions inside meeting rooms," said Storms, referring to discussions that will take place next week about whether to patch the email servers.
"If we get lucky, [the Exchange vulnerability] will be in Oracle's Outside In, and there will be an easy mitigation," Storms added.
Exchange relies on Outside In libraries to display file attachments in a browser rather than open them in a locally-stored application, like Microsoft Word. Microsoft has patched those libraries repeatedly, twice this year -- most recently in August -- and also twice in 2012.
Outside In was included in Oracle's October patch collection, making it almost certain that the Exchange update will address that technology's latest bugs. "Given Microsoft's time to test patches, the timing of this does match up," agreed Storms in a final instant message.
The six updates marked important will patch vulnerabilities in Windows, Office 2010 and Office 2013, SharePoint Server and Visual Studio Team Foundation Server 2013. If the updates are not deployed, criminals may be able to infect PCs with malware, steal information, acquire additional privileges that would let them run more threatening attacks, or bypass security features.