Microsoft said Thursday it will issue 12 security updates next week, including two for Internet Explorer (IE), which will be a patch near record of 57 vulnerabilities in the browser, Windows, Office and business critical software exchange mail server mail.
“These are some serious numbers,” said Andrew Storms, director of security operations at nCircle, referring to the 57 errors Microsoft plans to cancel 12 February.
And it is almost a record, approaching the all-time Patch Tuesday count of 64 failures, all patches arranged in April 2011.
Five of the 12 updates will be listed as “critical,” Microsoft’s highest threat rating, while the rest will be marked as “important” next step forward.
Two of the five critical updates address vulnerabilities in Windows XP Service Pack 3 (SP3) and Windows Vista. Among the major changes, five affect Windows 7, Windows 8 four, and three each for Windows XP SP3 and RT. The latter is the limited editing functionality designed for tablets, and the surface itself powers of Microsoft RT tablet.
But what caught the attention of Storms “were two separate updates for IE, both labeled as critical, to patch IE6, IE7, IE8, IE9 and the latest version of the browser, IE10.
“This is the first time I’ve seen it done,” Storms said the one-two punch. “If there has been an update ‘out-of-band” for IE, never have posted an update over [to the browser] in a month. ‘
Storms struggled to come up with ideas why Microsoft split what could have been one, but larger update. “Why not a cumulative update for Internet Explorer”, he asked. “We certainly expect to see an interesting post next week with a long and complicated explanation.”
The most likely place where Microsoft could offer insight into why he crafted two updates of IE is its Security Research and Defense blog, which regularly post entries on complex or unusual updates from Patch Tuesday of the month.
The double whammy IE could help companies manage patches next week. Or it could harm them. “I can see both ways,” said Storms. “It may be more difficult because you have to try two updates. It is also possible to divide them because one has more risk than the other.” In the latter case, companies will have more flexibility than normal, he said, and will be able to decide whether should be applied only one, both or none.
“I can see that, but I still do not understand why not put [patched] installation in a newsletter and wrap with a little logic,” said Storms. “[The only thing I can think] is a newsletter is for IE core, and one is for something used by IE.”
Another expert, Lumension security and forensic analyst Paul Henry, the theory that one of the updates of IE could be related to recent Java vulnerabilities Oracle. Like other browsers, IE has an Oracle-provided plug-in to analyze Java code.
“It is possible that this is related to the problems of recent and ongoing Java,” Henry said in an email Thursday. “Microsoft has a very close relationship with Oracle, so it would not surprise me if these newsletters include Java patches.”
Last week, Oracle accelerated the launch of its regularly scheduled security update, originally scheduled to ship Feb. 19 -. “Active exploitation” in the wild “one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, “citing
Updating Oracle’s early came following several embarrassing “zero-day” vulnerabilities-and emergency patches necessary to override the errors as well as harsh criticism leveled by security professionals against Oracle’s handling of Java problems.
Next week the fifth critical update affects Exchange Server 2007 and Exchange Server 2010, the second and third versions of latest software, email server from Microsoft.
While details were absent from Microsoft is always notice bare bones Storms said the simple fact that the update is considered critical and Exchange should be enough to raise the antenna pros. “I always worry because Exchange is the business critical application,” said Storms.
Failure patch or compatibility issues when upgrading from Exchange email possibly could knock a company, with all the resulting chaos, it creates among workers, and the conflict between them and IT.
Microsoft will launch next week 12 security updates on Feb. 12 at approximately 1 pm.