Microsoft's latest countdown: Update Windows 8.1 before Tuesday

Microsoft's latest countdown: Update Windows 8.1 before Tuesday

Next week's seven-bulletin slate, including critical fixes for IE and Windows, won't reach 8.1 unless April's Update has been applied

Microsoft has announced it will deliver seven security updates to customers next week, including an almost-habitual one for Internet Explorer (IE), and others for Windows, Office and Lync, the company's communications server software.

Before then, Windows 8.1 devices that rely on Windows Update to obtain patches must have moved to Windows 8.1 Update, an interim upgrade Microsoft shipped in early April.

The IE update, one of two classified as "critical," Microsoft's most serious threat ranking, will include a patch for a vulnerability that went partially-public last month after a bug bounty program tired of waiting for Redmond to fix the flaw.

Two weeks ago, HP TippingPoint's Zero Day Initiative (ZDI) revealed some details about the IE bug after its 180-day grace period had expired without Microsoft providing a patch. Microsoft acknowledged that the flaw existed, but said it had not received reports of the vulnerability being exploited in the wild. The company repeated that claim today.

The other critical update will patch all still-supported versions of Windows, ranging from Windows Server 2003 to Windows 8.1. Like the IE "bulletin" -- Microsoft's term for an update package that patches one or more vulnerabilities -- the critical one for Windows was tagged as "remote code execution" (RCE) in today's advance notification. That meant cyber criminals could, if they managed to exploit the bug, compromise an unpatched PC, then plant malware on it, steal information from it or use it as part of a botnet constructed from hijacked systems.

That bulletin will also affect Office 2007 and 2010 on Windows, as well as various versions of Lync 2010 and Lync 2013.

"Given the programs, [the vulnerability] is a shared component that has an impact across a variety of platforms," said Chris Goettl, a product manager at patch management vendor Shavlik, in an email Thursday. "This looks like an RCE that would be executed through some sort of phishing campaign to get users to click a link or open a file. Given the critical rating, it wouldn't surprise me if there's an added element to this that makes it more dangerous than your standard phishing attack. It's also possible that Microsoft has seen some attacks in the wild."

Others followed Goettl in putting the update in the spotlight.

"[Because] it is rated only 'Important' in Office, [it is likely] that it is a file-based vulnerability. Our bet is on a graphics format vulnerability, but we will see next Tuesday. Keep an eye on this one," advised Wolfgang Kandek, CTO of security vendor Qualys, in an email.

Although the information Microsoft provided on next week's two critical updates suggests that vulnerabilities also exist in the now-retired Windows XP, or in the versions of IE able to run on the 14-year-old OS, Windows XP will not receive those fixes.

However, Microsoft will update a cousin of XP -- Windows Embedded POSReady 2009, designed for point-of-sale systems and automated teller machines (ATMs) -- and again prompt some to hack their copies of Windows XP SP3 to trick Windows Update into delivering the fixes.

Microsoft will issue the month's security updates on Tuesday, June 10.

Before that, most customers with Windows 8.1-powered PCs or tablets must have applied April's Windows 8.1 Update. Anyone who does not will be unable to obtain patches through Windows Update.

Microsoft originally gave everyone just five weeks to put Windows 8.1 Update in place or face a sans-patch future, but quickly backed off under pressure from corporate customers, giving them a three-month extension.

Next, just 24 hours before May's security slate was to ship, Microsoft ceded even more ground by extending the deadline for consumers to June 10.

Ironically, laggards still running 2012's original Windows 8 will continue to receive all appropriate patches; they have until January 2016 to migrate to Windows 8.1.

Customers have been both confused and frustrated by the Windows 8.1-to-Windows 8.1 Update requirements. Microsoft has done nothing to clear the air, and has continued to assert that the requirement was security related, an explanation many saw as arbitrary because Windows 8 users have been given a pass.

Microsoft will ship the seven security updates on June 10 at approximately 1 p.m. ET (10 a.m. PT).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags HPMicrosoftWindowssoftwareMalware and Vulnerabilitiesoperating systems


Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments