MUST READ: Target's data breach: It gets worse

Topic: Security

Discover

Microsoft to issue 8 updates, 3 critical, on Patch Tuesday

Summary: All supported versions of Microsoft Windows, Office and Internet Explorer are affected by at least one of the eight bulletins. Microsoft also clarified the impact of this week's disclosure of another vulnerability in Windows, Office and Lync.

Larry Seltzer

This coming Tuesday, November 12, Microsoft will release eight updates for Microsoft Windows, Office and Internet Explorer to patch an as-yet unspecified number of vulnerabilities in them. Three of the updates, affecting Windows and Internet Explorer, are rated critical.

All supported versions of Windows, including the recently-released 8.1, are affected by at least one critical vulnerability. The one bulletin that affects Internet Explorer fixed a critical vulnerability in all versions of the browser, includng the brand new Internet Explorer 11. Three other Windows bulletins are rated Important.

Two other bulletins, both rated important, affect all supported versions of Microsoft Office.

Microsoft will also release their other usual monthly updates, including a new version of the Malicious Software Removal Tool and a large number of non-security updates.

Earlier this week Microsoft disclosed a vulnerability affecting some versions of Windows and Office and all versions of Microsoft Lync. The vulnerability is being used in zero-day attacks specifically against Office. The Patch Tuesday updates this month will not address this vulnerability.

Today Microsoft issued a clarification of the bulletin for that vulnerability. The main point of the clarification is that only some Office users are being attacked, not users of the other products who are not running an affected version of Office. The confusing nature of the product matrix comes from the confusing way in which GDI+, the affected component, is bundled with different products. If you are concerned about the vulnerability see the Microsoft bulletin for instructions on how to work around it until an update is ready from Microsoft.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion

  • Ill wait thanks

    I never push the updates from WSUS the first instance they arrive, generally i wait a week or set a custom OU to test on before deploying to the nodes.
    Lets face it, their last few patches have been pretty scrappy mate.

    Larry, would you be to do a story about doping transistors on routers and switches (Ive been reading your threads for a while and they always seem to be the most level headed || logical posts on this site)?. Currently in Australia its speculation that is why the government inst going with one of the Chinese competitors.
    JohnnyJammer
    Reply 1 Vote

    • doping transistors, etc

      I'll look into it but I know nothing about it
      larry@...
      Reply 1 Vote

      • Thanks mate

        I just wanted to understand it more as its a curious way of getting crypto keys. Also they say now there can be self replicating malware through the speakers of a computer that has been unplugged from the network and power (Scary stuff).
        link here
        welivesecurity.com/2013/09/17/chemical-trojans-baked-into-circuits-could-offer-invisible-way-to-steal-secrets/
        JohnnyJammer
        Reply 1 Vote

    • Doping transistors is not sabotage.

      NOT doping them would be; the very process that MAKES a transistor work involves doping some parts of the silicon with a few Group III atoms (aluminum or gallium) or a few Group V atoms (phosphorus or arsenic). But that takes place WHILE a chip is being made; once any semiconductor chip (transistor, small-scale chip. or microprocessor chip) is made, packaged, and incorporated into a circuit board within a device, there is no way to add doping to it. It can be destroyed, but not "doped" with new chemical impurities.

      You may be thinking of "flashing" or "burning" malware into "read only" chips that make a computer or peripheral work (these chips CAN be written into, but not by normal memory access instruction, only by a pseudo-write function to an I/O device address).
      jallan32
      Reply Vote

  • update?

    I fail to see why OS's can't be made secure. I still think it's because Gates didn't want to put AV (Norton specifically) companies out of business. Look at M$'s built in AV software... worthless.
    fdhealy4
    Reply 2 Votes

    • Do a little reading

      There's a TON of books, papers an research available that discusses why writing secure code can be insanely hard.

      The continued and increasingly frequent and/or more voluminous number of patches every month for all OS platforms should make it very clear that this is a very hard problem to solve.
      bitcrazed
      Reply 3 Votes

      • Especially with Windows

        Because every app, driver and extension you install wants Admin rights. They keep layering more software to protect a flawed design going back to DOS which was a hack of Unix without security. Everything went south from there.
        LarsDennert
        Reply Vote

    • Have you ever written complex software?

      It is almost impossible to make it 100% bug free and secure, even on relatively small projects (a few hundred thousand lines of code). Multiply that up by the millions of lines of code in an OS and there will always be holes.

      Just look at the Linux logs and the fact Linus wants the 4.0 Kernel release to be purely bug fixing, with no new features...

      The biggest problem with software is that it is written by humans and humans are never perfect, therefore the products they generate are rarely perfect and the more complex those products are, the more imperfections they contain. In art it might be a sought after facet of the end product to see the imperfections, in software, especially business or internet facing software we don't want those imperfections, so we constantly fight to improve the products.
      wright_is
      Reply 3 Votes

      • Complex software

        Wright_is, what do you mean?

        I heard that Lotus 1-2-3 v2.2 (or was it 2.3) was bug-free... :-)
        DAS01
        Reply 1 Vote

        • Bug free?

          Worst piece of junk ever! :-P

          We had one set of worksheets that started doing random things! We tried tracing the macros and everything ran fine, but let the macros actually run, not single step, and it gave out random results. In the end we sent the worksheets to Lotus and their reaction was "wow, we never expected anybody to do anything that complex in 1-2-3!" They recommended that we remodel it in C++! :-D
          wright_is
          Reply 1 Vote

          • Bug-free?

            Wright_is...

            :-)

            I guess none of us used macros to test it...
            DAS01
            Reply 1 Vote

      • In the old IBM mainframe world, there was ONE program

        that only had to be updated once in its history. A do-nothing stub program to execute in a job step intended only to create or delete files, it originally consisted of a single CPU instruction, branch to the address in register 14 (hence its name, IEFBR14). But even this program was found to have a bug, since register 15, which is used to tell the operating system the RESULT of a program's execution, was returned with a random number in it (actually the address of that BR 14 instruction itself), so ONE fix was applied very early, doubling its instruction count: SR 15,15 to return a zero (meaning a perfectly good result) condition code, before the BR 14 to return to the system.

        So if a program THAT SIMPLE took two tries to get right, how many iterations would be needed to get a large, complex program perfectly correct)?
        jallan32
        Reply 2 Votes

    • A secure OS

      There is a secure computer... it's called an abacus!
      JoeDaddy
      Reply 3 Votes

    • Secure your installed OS yourself

      Use Sandboxie. You could even create a virtual device via Fusion or Parallels How about something really radical? Don't install any software that wants full access to your system.
      vince7@...
      Reply 3 Votes

      • Aahh virtualization...

        ..nothing like installing one piece of complex software with thousands of potential vulnerabilities on top of another piece of complex software with thousands of potential vulnerabilities...

        Of course, at least the illusion of software isolation and security makes you feel warm and fuzzy inside.. :)
        daftkey
        Reply Vote

  • Windows 7 & 8

    Look if you what to surf the internet without fear of getting a virus or malware, use a Linux distro. Sure software like Adobe and accounting software like PeachTree or Quickbook and time wasting gaming won't run in Linux, but if you want to surf , email, watch videos etc.. use Linux. I use Ubuntu and have Windows 7 and 8 in a virtual o/s inside my Linux o/s using VirtualBox. Wake Up!!
    LinuxMaster4U
    Reply Vote

    • I feel like you're

      intentionally trying to minimize the software gaps in Linux. Then again do you rely on computer software to make a living?
      Sam Wagner
      Reply Vote

  • Leave the Jihad out of here please

    I fail to understand why every discussion on this forum of any patch from any IT vendor has to always degenerate into a religious war.
    PepperdotNet
    Reply 3 Votes

    • Nothing new

      This is the price of anomynity. I saw it back in the 70's with CB radios. People would spout inflamitory statements just to listen to everyone else respond.
      Until everyone stops feeding the trolls they will continue. That won't happen because many of us can't stand to let a bald face lie go unanswered.
      harrim47
      Reply 3 Votes
CNET Join | Log In | Privacy | Cookies Close