Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical Internet Explorer, Windows Vulnerabilities

Microsoft added two new security updates into the mix of Patch Tuesday bulletins being released today.

Microsoft added two new security updates into the mix of Patch Tuesday bulletins being released today.

The additions – critical updates for Internet Explorer and the VBScript scripting engine – bring the total number of vulnerabilities addressed in the updates to nearly three dozen. Initially, Microsoft announced plans last week to release five bulletins today, but revealed Monday it was adding two new bulletins into the release for a total of seven.

According to Microsoft, the Direct2D, VBScripting and IE bulletins should be the top three priorities for organizations.

“At first take, it looked like Microsoft would continue the 2014 trend of keeping patch Tuesday relatively light,” said Ross Barrett, senior manager of security engineering at Rapid7. “There were only five advisories this month, two critical, three important.  Emphasis is on the past tense.”

The IE bulletin, MS14-10, addresses 23 publicly-disclosed vulnerabilities and one previously made public.

“The most severe vulnerabilities could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer,” according to Microsoft. “An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The vulnerability in the VBScripting engine in Windows is also a remote code execution bug that that can be exploited if a user views a malicious site. The vulnerability is caused when the scripting engine rendered in Internet Explorer does not properly handle objects in memory, and corrupts memory in a way that allows an attacker to execute code with the rights of the user.

The final bulletin on Microsoft’s high priority list is MS14-007, which fixes a vulnerability in the Direct2D graphics component in Windows.

Advertisement. Scroll to continue reading.

“This patch applies to Windows 7, 8, 8.1, RT, RT 8.1, Server 2008 R2, Server 2012, and Server 2012 R2,” said Marc Maiffret, CTO of BeyondTrust. “Additionally, exploitation can be achieved by delivering malicious 2D geometric figures through Internet Explorer. Therefore, attackers will be very interested in it, given that it affects the latest versions of Windows and can be exploited via drive-by mechanisms. Deploy this patch as soon as possible.”

There is one more critical bulletin on the Patch Tuesday menu however – MS14-008, which addresses a remote code execution issue in Microsoft Forefront. This does not affect all Forefront solutions: it only affects Forefront Protection 2010 for Exchange Server, Maiffret noted. Nonetheless, it is important to get this patch deployed as soon as possible, because attackers will be interested in any way to potentially compromise an Exchange server, he said.

The remaining bulletins are classified as ‘Important’ and impact Microsoft Windows and the .NET Framework. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.