March Patch Tuesday Updates May Fix Critical IE Flaw
Building 17 on Microsoft's main campus in Redmond, Wash. Credit: Derrick Coetzee/Public domain
UPDATED 6 pm Tuesday ET with more details on contents of Microsoft patches.
This month's round of Microsoft Patch Tuesday updates includes urgent fixes for most versions of Windows and all versions of Internet Explorer, plus important patches for all Windows machines and even some Macs.
The big mystery, which won't be revealed until the updates are pushed out tomorrow (March 11), is whether the Internet Explorer zero-day flaw currently being exploited by state-sponsored hackers will be fixed as well.
Many in the security industry assume the Internet Explorer flaw, known by the bug number CVE-2014-0322 and first spotted in February, will be patched tomorrow.
The bug affects only Internet Explorer versions 9 and 10 on Windows Vista, 7, 8/8.1 and RT. Yet all supported versions of Internet Explorer — 6 through 11 — and all supported versions of Windows — XP through 8/RT — will receive crucial updates.
It will be the next-to-last round of updates ever for the 13-year-old Windows XP, which Microsoft is dropping support for after next month's Patch Tuesday on April 8.
CVE-2014-0322 is being used in "watering hole" attacks against individuals assumed to be interested in specific websites, in this case that of the Veterans of Foreign Wars. Last month, Microsoft released a "Fix-it" tool that would temporarily kill the IE bug while users waited for a full-fledged patch.
The IE patch bundle is one of two "critical" security bulletins that Microsoft sketched out in its advance notification. Microsoft defines a critical vulnerability as one that "could allow code execution without user interaction" — in other words, malware — and should be applied "immediately."
The second critical bulletin also affects all versions of Windows, except the tablet-only Windows RT and RT 8.1 and server editions built for Intel's Itanium chip architecture.
Less crucial are the three "important" bulletins, which could lead to leaks of private personal information or denial-of-service attacks against computers, but not malware infections. One affects all versions of Windows; another affects XP, Vista and all non-Itanium server editions, but not Windows 7, 8/8.1 or RT.
The final important bulletin affects Microsoft Silverlight 5, the current version of Microsoft's multimedia application framework. All operating systems that run Silverlight 5, including Windows XP through 8.1/RT 8.1, all supported Windows server editions and Mac OS X, are affected, including Silverlight developer builds.
Silverlight was designed to be a rival to Adobe Flash Player, but is now primarily used to stream Netflix content through Web browsers. To check to see whether you have Silverlight installed, point your browser to Microsoft's "Get Silverlight" page.
To make sure you receive the Microsoft Patch Tuesday updates on time, go into Control Panel, then click on "System and Security."
Under "Windows Update," click on "Turn automatic updating on or off."
Make certain your computer is set to "Install updates automatically."
Your computer will restart after installing this month's updates, so make sure you save all your files before logging out tomorrow evening.
UPDATE: In its finalized version of the March Patch Tuesday security bulletin, Microsoft confirmed that the first critical bulletin does indeed fix the IE 10 hole being exploited, as well as 17 other Internet Explorer vulnerabilities that were privately disclosed.
One of those is "a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8," wrote Microsoft Trustworthy Computing manager Dustin Childs in a company blog post. "Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above."
ASLR, or address space layout randomization, is a defensive security measure found in modern operating systems that foils malware by randomizing where in a computer's RAM a specific program will reside. (Earlier operating systems allotted RAM space predictably.)
The important Silverlight flaw fixed in this month's last bulletin also involves ASLR.
"The issue wasn't publicly known and it isn't under active attack," Childs wrote, but "the update removes an avenue attackers could use to bypass ASLR protections."