Microsoft has just announced that it will release a total 11 security bulletins on Patch Tuesday, five critical and six important, but surprisingly, the rollout won’t include a fix for the recently-found zero-day TIFF flaw in Windows.Although it was initially expected to see a fully-working patch going live on Patch Tuesday, it turns out that Microsoft needs more time to develop it, with a company official recommending users to urgently update their Adobe Reader installations.
“This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready,” Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing, said in a statement released this morning.
“Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.”
Wolfgang Kandek, CTO, Qualys, also said that users who are running the latest version of Adobe Reader or a newer edition of Windows, including 7, 8, or 8.1, are not affected by the flaw.
“Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,” he said.
“We believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures. EMET is a free tool by Microsoft and in the last year has significantly matured in terms of manageability and deployability.”
All Patch Tuesday fixes will be delivered via Windows Update on Tuesday, so keep your computer connected to the Internet to make sure that you download and install them as soon as possible. Some of the updates will require a computer reboot, so make sure you save your work before anything else.
Update: Microsoft has confirmed that it will actually patch the TIFF flaw next week, but the recently-found Adobe zero-day vulnerability will still have to wait for a fix.