Microsoft withholds monster IE update from Windows 8.1 dawdlers
- 11 June, 2014 06:09
Microsoft refused to give Windows 8.1 customers a second reprieve, requiring most to have upgraded their devices to April's Windows 8.1 Update before the firm's Windows Update would serve up a mammoth patch slate today.
Tuesday's collection of seven different "bulletins" - Microsoft's label for its security updates -- included one for Internet Explorer (IE) that contained fixes for a record 59 separate vulnerabilities.
The previous single-bulletin mark was MS11-034, which patched 30 vulnerabilities in April 2011.
Microsoft got a bit defensive about the large number of CVEs on today's slate. "Does a vulnerability make a sound if it never gets exploited?" asked Dustin Childs, a group manager on the Microsoft Security Response Center's blog Tuesday after recounting the total flaws fixed. "When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack. In other words, it doesn't matter if that falling tree makes a noise; we still have an action to take."
To receive the MS14-035 IE update and others released today, consumers and small businesses or organizations -- anyone using Windows Update to obtain patches -- that have devices running October 2012's Windows 8.1 must have applied Windows 8.1 Update (Win8.1U).
Microsoft issued Win8.1U in early April.
Larger customers, enterprises primarily, that rely on WSUS (Windows Server Update Services), Windows Intune or System Center Configuration Manager to obtain and deploy patches, have until August 12 to migrate from Windows 8.1 to Win8.1U.
Initially, Microsoft gave everyone just five weeks to put Windows 8.1 Update in place or face a no-patch future. But it quickly backed off under pressure from corporate customers, and gave them the three-month extension. At the time, Microsoft retained the May 13 deadline for all others.
But just 24 hours before the cutoff, the consumer deadline was extended to June 10.
Today's MS14-035 included 59 individual CVEs (Common Vulnerabilities and Exposures), the individual identifiers for security bugs that are logged into a central database maintained by Mitre with funding from the U.S. Department of Homeland Security.
Of the 59 total CVEs in MS14-035, 21 were applicable to Internet Explorer 8 (IE8), not only the most-used of Microsoft's browsers, but also the newest that runs on the still-defiant Windows XP. The corporate combination of Windows XP- and Windows 7-powered PCs -- businesses shunned the interim Windows Vista and have largely done the same to Windows 8 -- was a major factor in businesses worldwide standardizing on IE8; it was the latest that ran on both operating systems.
Today, Microsoft again urged customers to yank IE8 from Windows 7 in favor of the newest iteration, IE11, which was released alongside Windows 8.1 last October, and for Windows 7 in November. On Microsoft's IE blog, Fred Pullin, a senior product marketing manager, repeated the firm's contention that IE11 is more secure and that its Enterprise Mode, a new compatibility feature that mimics IE8 for legacy websites and Web apps, is a suitable replacement for the real deal.
IE11, however, received 47 patches, more than twice as many as IE8, a number that some will certainly cite to question Pullin's advice that, "If you are using an older browser, upgrade to the latest version and enable automatic updates for more secure browsing."
Windows 8.1 Update can be downloaded and installed on current Windows 8.1 PCs using Windows Update. Win8.1U will appear as an "Important" update and will be labeled as "KB 2919355."
After Win8.1U has been successfully installed, users can manually re-run Windows Update to retrieve today's seven bulletins, including MS14-035.
Ironically, laggards who have remained on Windows 8, the October 2012 original, have until Jan. 12, 2016 to migrate to Windows 8.1 Update before losing their patch privileges.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.