Skip to main content

May Patch Tuesday Comes with Twist for Windows 8.1

UPDATED 11:45 a.m. ET Tuesday (May 13) with news that Microsoft has reversed its position on the necessity of Windows 8.1 Update.

Windows 8.1 users might not receive four of the eight security updates Microsoft will release next week in its monthly "Patch Tuesday" update (May 13). The eight updates fix security flaws in Internet Explorer, Windows, Office and SharePoint: Two are marked "critical," Microsoft's highest threat rating, and the rest are marked "important."

Four of the eight pertain to Windows 8.1, Windows' latest desktop operating system. However, if Windows 8.1 users want these security patches, they'll need to install Windows 8.1 Update, which was released April 8, 2014 and includes some interface tweaks, such as the ability to run Windows 8's Metro apps from within the desktop.

MORE: Best Anti-Virus Software 2014

Microsoft usually doesn't divulge details about vulnerabilities in upcoming Patch Tuesday, and this month is no exception. In its advance notification, the company said the two "critical" updates concern remote code execution, or the ability for a cyberattacker to gain control of a vulnerable computer via a remote server.

The attacker could install malware on the computer without the proper user's permission, or even knowledge. However, the attacker could only acquire the same permissions as the user whose account is compromised, another example of why PC owners should use limited-user accounts when performing general activities on the computer.

The first critical update is probably the most serious for regular users: It concerns a vulnerability in all supported versions of Windows and Internet Explorer (Windows Vista through 8.1 and RT, and IE 6 through 11). The same flaw also affects all supported versions of Windows Server, but it's only a "moderate" threat for those.

The second critical update concerns Microsoft SharePoint Server 2010 and 2013 as well as Microsoft Office Web Apps 2010 and 2013, which are browser-based "light" versions of Word, Excel, PowerPoint and other Office applications.

The other six updates are all rated "important." One concerns remote code execution on Microsoft Office 2007, 2010 and 2013, which is less serious than a similar attack on a Windows system as a whole.

Three updates concern elevation of privilege, in which attackers give themselves more permissions on an infected computer. Paired with a remote-code-execution flaw, an elevation-of-privilege flaw could let attackers take over the entirety of a computer. All three affect all supported versions of Windows and Internet Explorer, and one also concerns Microsoft's .NET Framework.

One of the final two updates concerns a denial-of-service flaw on all supported versions of Windows Server, which could be exploited to take a server offline by overloading it with more data requests than it can handle. The other concerns a security feature bypass in Microsoft Office 2007, 2010, 2013 and 2013 RT.

We'll know more about the specific nature of the threats being patched when the updates are pushed out at about 10 a.m. PDT Tuesday (May 13).

To make sure you receive Microsoft security patches, go into Control Panel and set Windows Update to install updates automatically. If you run Windows 8.1, install the April operating-system update first.

UPDATE: In a Microsoft blog posting Monday (May 12), Microsoft marketing-communications manager Brandon LeBlanc announced that Microsoft had changed its mind. Users of Windows 8.1 will not need to install Windows 8.1 Update before they can receive May's Patch Tuesday patches after all.

"We've decided to extend the requirement for our consumer customers to update their devices to the Windows 8.1 Update in order to receive security updates another 30 days to June 10th," LeBlanc wrote.

There have been numerous reports of Windows 8.1 users not being able to install Windows 8.1 Update, or of having the update fail halfway through installation. LeBlanc referred only to "issues installing the Windows 8.1 Update" and pointed users to a Windows 8.1 Update troubleshooting page.

Users of Windows 8.1 still have to install the update by the time of June's Patch Tuesday, LeBlanc reiterated. (Users of plain old Windows 8 are not affected.) That's assuming, of course, that Microsoft doesn't bow to consumer pressure once again.

"As noted previously, consumer customers who do not update their Windows 8.1 devices to the Windows 8.1 Update by this new deadline will no longer receive updates," LeBlanc said. "We’re confident that within the next month, the majority of the remaining customers who haven’t updated their devices to the Windows 8.1 Update will be able to do so."

Email or follow her @JillScharr and Google+.  Follow us@TomsGuide, on Facebook and on Google+.