Microsoft Patches Critical Internet Explorer, Windows Vulnerabilities

Microsoft added two new security updates into the mix of Patch Tuesday bulletins being released today.

The additions – critical updates for Internet Explorer and the VBScript scripting engine – bring the total number of vulnerabilities addressed in the updates to nearly three dozen. Initially, Microsoft announced plans last week to release five bulletins today, but revealed Monday it was adding two new bulletins into the release for a total of seven.

According to Microsoft, the Direct2D, VBScripting and IE bulletins should be the top three priorities for organizations.

“At first take, it looked like Microsoft would continue the 2014 trend of keeping patch Tuesday relatively light,” said Ross Barrett, senior manager of security engineering at Rapid7. “There were only five advisories this month, two critical, three important.  Emphasis is on the past tense.”

The IE bulletin, MS14-10, addresses 23 publicly-disclosed vulnerabilities and one previously made public.

“The most severe vulnerabilities could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer,” according to Microsoft. “An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The vulnerability in the VBScripting engine in Windows is also a remote code execution bug that that can be exploited if a user views a malicious site. The vulnerability is caused when the scripting engine rendered in Internet Explorer does not properly handle objects in memory, and corrupts memory in a way that allows an attacker to execute code with the rights of the user.

The final bulletin on Microsoft’s high priority list is MS14-007, which fixes a vulnerability in the Direct2D graphics component in Windows.

“This patch applies to Windows 7, 8, 8.1, RT, RT 8.1, Server 2008 R2, Server 2012, and Server 2012 R2,” said Marc Maiffret, CTO of BeyondTrust. “Additionally, exploitation can be achieved by delivering malicious 2D geometric figures through Internet Explorer. Therefore, attackers will be very interested in it, given that it affects the latest versions of Windows and can be exploited via drive-by mechanisms. Deploy this patch as soon as possible.”

There is one more critical bulletin on the Patch Tuesday menu however – MS14-008, which addresses a remote code execution issue in Microsoft Forefront. This does not affect all Forefront solutions: it only affects Forefront Protection 2010 for Exchange Server, Maiffret noted. Nonetheless, it is important to get this patch deployed as soon as possible, because attackers will be interested in any way to potentially compromise an Exchange server, he said.

The remaining bulletins are classified as ‘Important’ and impact Microsoft Windows and the .NET Framework.