Patch Tuesday Centers on IE

Thursday, August 14, 2014 @ 05:08 PM gHale


Microsoft released 26 patches for Internet Explorer, including one fixing a critical vulnerability that could allow a remote attacker to gain access to a computer from over the Internet.

The patches were part of Microsoft’s monthly software update cycle, Patch Tuesday.

RELATED STORIES
IE Browser of Choice for Attacks
Patch Tuesday for Internet Explorer
Breach Alert: Critical Infrastructure at 70%
Data Breaches: Not Learning from History

Overall, Microsoft addressed 37 vulnerabilities this month, including two critical ones that could end up used for remote code execution.

MS14-051 is a collection of 26 patches for the Internet Explorer browser, said Wolfgang Kandek, chief technology officer for IT security firm Qualys. These vulnerabilities range across all currently supported versions of Internet Explorer, from IE6 to IE11.

The other critical vulnerability this month, addressed by MS14-048, is in Microsoft’s OneNote note-taking software. The vulnerability is a bug that would allow a malicious user to gain control of a machine.

OneNote, which is part of Office, does not see the widespread use like Word, Excel and PowerPoint, so Microsoft and researchers have been playing down the severity of this bug, but an organization that has this application should patch it immediately, Kandek said.

Other products patched this month include Windows, SharePoint and SQL Server. The SQL Server patch, addressed in MS14-044, offers patches for the database server software that don’t appear that often.

There are also two sets of patches that Adobe issued Tuesday, for its Reader and Flash software.

In the past few weeks, Microsoft has taken additional measures to better secure IE. It has created blocking mechanisms to stop older, unsecured, ActiveX and Java applications from running when the browser is in Internet-mode. It provides a whitelist that organizations can use to run their legacy Web applications, however.

Microsoft also said as of January 2016, it will stop supporting all but the latest versions of IE, a move to help the company better secure the browser by limiting the number of versions running. Organizations that require a specific version of the browser for legal or compliance reasons can continue to run the software in a new “enterprise mode” of operation Microsoft added to the browser.



Leave a Reply

You must be logged in to post a comment.