Tick, tock: Windows 8.1 users face patch ban as Microsoft sets next week's updates

Microsoft today said it will issue eight security updates to customers next week that will include fixes for flaws in Internet Explorer (IE), Windows, Office and SharePoint.

Four of the bulletins, including the one targeting IE, affect Windows 8.1, the fall 2012 refresh of Windows 8. However, to receive those four updates, users of Windows 8.1 must have upgraded to Windows 8.1 Update, which Microsoft released just last month.

Of the eight updates, two were tagged "critical," Microsoft's most serious threat rating, and the remaining six were marked "important," the next step down in the firm's four-part scoring system.

May's collection of updates is the largest so far this year: Microsoft issued four updates each in January and April, five each in February and March.

"It's in the range," said Andrew Storms, director of DevOps at CloudPassage, today. "It's not like this is a giant update."

Storms recommended that users apply the IE update as soon as possible. Marked critical, the update will patch one or more vulnerabilities in all still-supported versions of the browser, including IE6, IE7, IE8, IE9, IE10 and IE11, according to Thursday's advance notification of next week's slate.

Although IE6 was retired last month for users of Windows XP, it still receives patches when deployed on Windows Server 2003. The latter does not exit support until July 2015.

No patches will be offered to Windows XP PCs next week, in fitting with Microsoft's standard support lifecycle policy. XP was retired last month, although Microsoft made an exception May 1 when it pushed a single IE patch to the 13-year-old OS, a move that caught most by surprise. At the time, it explained that it gave the IE fix to XP customers because the latter had been retired so recently.

Apparently, a week is the difference between patching and not patching XP.

"Microsoft will include the 'out-of-band' from last week in this month's IE update," said Storms, using the term for the emergency patch Microsoft shipped May 1. "But it wouldn't hurt to double-check."

The other critical update, named "Bulletin 2" in the advanced notice, will apply to SharePoint Server 2007, 2010 and 2013. SharePoint Server has been patched twice already this year -- in both January and April -- as well as in December 2013.

"SharePoint is one of those critical back-end office servers, in the same bucket as Exchange and SQL Server," said Storms. "So it will be important to move gingerly and important to test properly before deploying it."

Storms also remarked on the frequency that SharePoint has been patched. "They've been patching it more than other servers," he said. In 2013, Microsoft issued eight updates for SharePoint Server; in comparison, Exchange Server, Microsoft's email server software, received four updates during the year.

Storm put the SharePoint update in the No. 2 slot on his to-do list for next Tuesday.

The Windows 8.1 updates -- the critical one for IE, three others, all rated important, for Windows itself -- are a special case this month, as they will reach consumer PCs and other devices, including Microsoft's Surface tablets, only if users have applied Windows 8.1 Update.

Microsoft originally gave everyone just five weeks to put Windows 8.1 Update in place in order to receive May's fixes, but quickly backed off under pressure from corporate customers. Those users who rely on WSUS (Windows Server Update Services), Windows Intune or System Center Configuration Manager to obtain and deploy patches will have until August to apply Windows 8.1 Update before being shut off from future patches.

Consumers and small businesses -- or anyone who uses Windows Update to fetch patches -- must have Windows 8.1 Update in place by next Tuesday or they will not see the month's slate of fixes, leaving their systems unprotected.

"On one hand, this gives you more reason to apply Windows 8.1 Update, because if you don't there are patches you're missing," said Storms, putting a silver lining on the aggressive schedule Microsoft has mandated. "On the other hand, I wonder how many people are going to recognize that that's the case?"

In fact, some have had problems getting Windows 8.1 Update installed. A very long thread on Microsoft's support forum contains more than 1,000 messages from people who have encountered errors while trying to deploy the update.

Unless those users can finalize the installation of Windows 8.1 Update by Tuesday, they will also be unable to automatically install the month's patches.

Microsoft will release the eight security updates on Tuesday, May 13 around 1 p.m. ET.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.