Microsoft adds critical IE, XP fixes to Tuesday's patch slate

Microsoft adds critical IE, XP fixes to Tuesday's patch slate

Two more updates boost the total for tomorrow to seven

Microsoft on Monday unexpectedly added two more critical security updates to the list it will deliver tomorrow, including one for all versions of its Internet Explorer (IE) and another that will affect the soon-to-be-retired Windows XP.

"These updates have completed testing and will be included in tomorrow's release," said Dustin Childs, a spokesman for Microsoft's Trustworthy Computing group, in a short addendum to a blog originally published last Thursday.

Then, Microsoft said it would have just five security updates, two critical, that would quash vulnerabilities in Windows and the company's Exchange-based Forefront Protection 2010 security software.

The last-minute addition of two more critical updates, which brought the total to seven, four of them with Microsoft's highest-level threat rating, was unusual, said Andrew Storms, director of DevOps at San Francisco-based CloudPassage. But he took Childs at the latter's word about why the new ones squeezed onto the slate.

"They were probably busy testing the new updates, but hadn't confirmed they were good until this morning," said Storms in an interview conducted using instant messaging.

According to Microsoft's revised advance notification for Tuesday's patches, the two bulletins will address one or more vulnerabilities in IE and one or more in Windows, specifically VBScript (officially known as Visual Basic Scripting Edition), which is packaged with every version of the OS, both client and server. The two bulletins were tagged as "remote code execution," meaning attackers who crafted and delivered exploits against unpatched PCs would be able to hijack a machine and plant malware on it.

Bulletin 1 is now dedicated to IE, Microsoft said, and will update every version, from the soon-to-be-retired IE6 to the newest IE11 on Windows 8.1 and Windows RT 8.1.

Storms and other security experts had noted last week that Microsoft had omitted an IE update for two months running; the sudden appearance of a patch job means that that is no longer true.

"I think that most likely they wanted to get a number of bugs [in IE] fixed this month, but in terms of testing and timing were right on the edge," Storms said, guessing at the reasons why Microsoft first said it had no IE update, then said it did. "It is a little questionable since they did claim to have all those extra testing resources [for IE]. Makes me wonder why it took so long, or what about the timing threw them off the regular cadence."

Most security professionals classify an IE update as the one to deploy first, because of IE's widespread use and the prevalence of browser-based attacks. Storms said that is the case here.

The second new update, pegged as Bulletin 2 on the revamped advance notice, will patch VBScript, Childs said in his blog post. VBScript is used by some website and Web app developers as a substitute for JavaScript.

The VBScript update will affect all versions of Windows, but was rated critical on the client editions such as Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1. On the server side, it was tagged as "moderate," two steps below critical on Microsoft's four-level scoring system.

The new Bulletin 2 means that there will be a critical update for Windows XP tomorrow. That's notable because Microsoft plans to stop publicly patching the nearly-13-year-old operating system after April 8.

Storms believes the IE and VBScript updates are connected.

"I suspect the IE and VBScript [updates] are related, because they may have both been delayed together in their testing," Storms said. "Maybe it's just a coincidence. But two bulletins released at the last minute? That seems related in some way to me."

As Storms pointed out, it's rare that Microsoft adds updates at the last minute, although the company has done the opposite a handful of times, yanking one or more just before Patch Tuesday because its engineers found a glitch.

"I suppose this is better than proactively putting them in the [advanced notification] and then having to pull them a few days later," Storms said.

Microsoft will release this month's security updates on Tuesday around 1 p.m. ET.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about endpoint security in Computerworld's Endpoint Security Topic Center.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags MicrosoftWindowsendpoint securitysoftwareoperating systems



Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments