News Stay informed about the latest enterprise technology news and product updates.

January Patch Tuesday closes support for IE versions, Windows 8

Administrators with machines on Windows 8 and unsupported versions of Internet Explorer will need to update after this month.

Microsoft started off 2016 with a relatively light January Patch Tuesday, releasing nine security bulletins, with...

six rated critical by the Microsoft Security Response Center.

Administrators also should be aware that Microsoft will follow through on its plan to only support the highest version of Internet Explorer (IE) on each supported version of Windows after this round of patches.  

Microsoft will also end patches for systems running Windows 8 this month. Administrators still managing Windows 8 must update to either Windows 8.1 or Windows 10 -- both are free from Microsoft -- to receive further security patches.

Clock runs out on IE 

After today, Microsoft will only release security patches for the following:

  • Internet Explorer 11 on Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows RT and Windows 10;
  • Internet Explorer 10 on Windows Server 2012; and
  • Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008.

Companies that choose to remain on an unsupported browser do so at their own peril.

Although the end of support isn't surprising, "there are still a decent amount of people who haven't moved away from these older browsers," said Wolfgang Kandek, CTO for security vendor Qualys Inc., in Redwood City, Calif.

"We still see people on Windows 2003 and Windows XP, so I think it's going to be very similar, where people hold on to these browsers because it still works for them."

Two Windows-based critical vulnerabilities

Two of the critical updates deal with remote code execution (RCE) vulnerabilities in the Windows operating system. A user does not need to click on a dialog box or interact in any way other than visiting a website for these exploits to get triggered.

Bulletin MS16-005 deals with kernel-mode drivers, and is ranked as a critical vulnerability for supported editions of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. A user on those operating systems who goes to a malicious website would be vulnerable to an exploit that focuses on how the Windows graphics device interface handles objects in memory.

Administrators should consider putting the patch for this exploit at the top of their priority list, because it is "publicly disclosed, which means that some knowledge of that vulnerability is already out there," said Amol Sarwate, director of engineering for Qualys.

Bulletin MS16-003 centers on a vulnerability in JScript and VBScript that could allow an intruder to execute code if a user running supported versions of Windows Vista, Windows Server 2008 or Server Core goes to a specially crafted website.

Security bulletin MS16-004 involves a vulnerability in Microsoft Office that could allow an attacker to run malicious code if a user opens a specially constructed Office file. If the user is logged in as an administrator, the damage from this exploit could be wide-ranging.

"If the attacker sends you a document in email or hosts a document online, and if that document is opened, then the attacker could take complete control of the victim's machine," Sarwate said.

Typically, Office bulletins are ranked important, which means the victim would have to interact with the document to trigger the attack, such as opening the document. This bulletin, however, indicates hackers have managed to bypass some of Microsoft's security mechanisms to make it less difficult to overtake a system.

Critical patches for Internet Explorer, Microsoft Edge

Two other patches center on critical vulnerabilities in both the Internet Explorer and Microsoft Edge browsers.

In security bulletin MS16-001, an attacker could use RCE after a user visits a specially crafted website. The hacker would then obtain the same rights as the user, which could be serious if that user is at the administrator level. This bulletin concerns systems that are running Internet Explorer 8, Internet Explorer 9, Internet Explorer 10 and Internet Explorer 11.

Bulletin MS16-002 addresses a vulnerability in the Microsoft Edge browser running on Windows 10 systems that could allow RCE if the user goes to a specially crafted website.

MS16-006, the last critical update, concerns a vulnerability in Microsoft Silverlight, which leaves a system susceptible to an attack that originates from a specially crafted Silverlight application.

MS16-007 deals with an important exploit in supported versions of the Windows operating system that could allow attackers to damage a system if they can log in to a machine and run a specially constructed application.

Bulletin MS16-008 updates all supported versions of Windows that are vulnerable to an elevation of privilege. If attackers enter the system, they could delete data, install programs or create an account that has full user rights.

The last bulletin, MS16-010, concerns an address-spoofing vulnerability in all supported editions of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016. The patch from Microsoft will close an exploit with how Microsoft Exchange Outlook Web App authenticates Web requests.

Sharp-eyed sys admins will note that at first glance, Microsoft issued 10 bulletins, but there is a gap between bulletins MS16-008 and MS16-010.

"Normally, this happens when, very late in the process, a bulletin drops off and Microsoft cannot renumber it," Kandek said. "[Microsoft] ran into a snag with testing, most likely, and the patch wouldn't work on one of the platforms. Typically, it will come out next month, unless it's super urgent or exploited in the wild; [if so], then Microsoft would publish it out of band."

Next Steps

Patching tools can help, but not a cure-all

How to pull a bad patch with WSUS

Crucial security features in Windows Server 2016

Dig Deeper on Microsoft System Center

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How will the end of support for some versions of Internet Explorer and Windows 8 affect your organization?
Cancel
Very little. We still have most users running Win7. I think a lot of the older users would complain it we upgraded them. Unless there is a specific reason for an upgrade, I think most users are comfortable with what they have.
Cancel
I’m with Todd on this one. We’re predominantly Windows 7, and have just started using Windows 10 images on some of the newer machines our test team uses.
Cancel
Fortunately, this impacts far fewer people than MS would like to believe. Most have long since abandoned the sinking Win8 ship and IE version-whatever is a rarity on most machines. Will Win7 still be supported? That's where most users have washed ashore from the Win8 debacle.

And then we're on to Patch Tuesday, Microsoft's ongoing training program for unpaid beta testers. Can you say "Whack-a-Mole"...?

Cancel
Mainstream support for Windows 7 SP1 ended January 13, 2015, with extended support scheduled to end January 14, 2020.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close