Initially, experts wondered whether Microsoft would patch the XML Core Services (MSXML) vulnerability in Windows that it first acknowledged June 12, but failed to fix even as attacks leveraging the flaw steadily ramped up.
“Where’s the patch for the XML Core bug?” asked Andrew Storms, director of security operations at nCircle Security, in an interview earlier Thursday. “The MSRC [Microsoft Security Response Center] blog makes no mention of it,” noted Storms. “It’s unlike them not to call out [an impending patch].”
Storms was not the only security researcher to notice the omission of the MSXML fix on the MSRC blog, but he was the most vocal about it.
“[A fix] for MSXML could be in one of the planned updates,” Storms acknowledged, “but if they were going to issue a fix, I think they would say so.”
Microsoft later confirmed today to Computerworld that it will patch the MSXML vulnerability next Tuesday.
Storms praised the quick turn-around by Microsoft, but stuck to his guns on his criticism of the company’s initial decision to keep quiet.
“I do applaud them for the reaction speed,” said Storms in a follow-up instant message reply to questions. “But really if they are doing such a good job, again why not tell the world? It would begin to dispel the fears about any active attacks knowing that a patch is just around the corner.”
Storms had a point: The Microsoft XML Core Services (MSXML) vulnerability has attracted attention not only from the technology press, which has focused on the quick appearance of attacks exploiting the unpatched bug, but also obviously from hackers.
On Monday, for example, AlienVault Labs reported that a malicious email campaign was trying to dupe recipients into visiting websites where attackers exploited the MSXML. Some of those emails had been aimed at workers in the defense and aerospace industries.
The popular-with-hackers Blackhole exploit toolkit has also recently added attack code targeting the MSXML vulnerability.
Microsoft Thursday said it would ship nine security updates next week, three critical, to patch 16 bugs in Windows, Internet Explorer, Office and several components of its SharePoint enterprise collaboration platform.
Of the nine updates, three were rated “critical” by Microsoft and six as “important,” the first- and second-most serious rankings in its threat system. All of the critical updates and one of the half-dozen important ones could be used to hijack Windows PCs, said the company.
What Microsoft dubbed “Bulletin 2” in today’s alert also caught researchers’ eyes because it will patch one or more vulnerabilities in Internet Explorer 9 (IE9), the newest of the company’s still-supported browsers.
“They typically patch IE every other month,” said Storms of Microsoft’s habitual browser bug fixing during even-numbered months. Four weeks ago, Microsoft patched 13 IE vulnerabilities with the MS12-037 update.
“I think it’s fair to say that this will be of high importance,” said Storms. “For them to go out of their normal cycle raises the bar.”
Other security experts also tagged Bulletin 2 as one to watch next Tuesday when Microsoft issues July’s updates.
“Bulletin 2 … is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months,” echoed Wolfgang Kandek, chief technology officer at Qualys, in an email today.
Both Storms and Kandek called out Bulletin 1, the critical update that will patch the MSXML vulnerability as the other fix likely to rise on most enterprise to-do lists. The update impacts every supported version of Windows, from Windows XP to Windows 7 on the client side, and from Server 2003 to Server 2008 R2 on the server end.
Bulletin 3, also labeled as critical, will impact only the client versions — Windows XP, Vista and Windows 7 — but could also make it onto lists next week.
“Bulletins 1 and 3 are critical bulletins that could result in full compromise [of] systems without user interaction … so they should be attention-grabbers,” said Marcus Carey, a security researcher with Rapid7, in a Thursday email.
Other bulletins will patch bugs in Office 2003 through Office 2010 on Windows, Office 2011 on the Mac, SharePoint Server 2007 and 2010, Office Web Apps 2010, and InfoPath 2007 and 2010.
InfoPath is an electronic form-creation and form-submission product.
“The update for SharePoint Server does raise some concerns, because if you were to take it down for patching or it fails afterward, there goes your enterprise collaboration system,” said Storms. “It’s as much a core component of many enterprises as Exchange.”
Next week will also be the first time that Microsoft uses beefed-up encryption for Windows Update and a strengthened communications channel between its update servers and customers’ PCs and servers, Kandek observed.
The changes were part of Microsoft’s answer to the Flame espionage malware, and the discovery that Flame had found the “Holy Grail” of hacks by subverting Windows Update. Microsoft’s response was to turn its certificate-generation process upside down and revamp how it secures Windows updates.
Although Microsoft initially said it would begin rolling out the Windows Update modifications before June’s Patch Tuesday, it reconsidered and delayed the changes until users had a chance to obtain the months’ 26 fixes.
Storms and other security experts had called on Microsoft to do just that, worried that if the Windows Update update failed or caused secondary problems, users would be vulnerable to attack because their PCs could not automatically download and install future patches.
Microsoft will release the nine updates at approximately 1 p.m. Eastern time on July 10.