Connect with us

Hi, what are you looking for?



Microsoft Patches Critical Internet Explorer, Windows Vulnerabilities

Microsoft added two new security updates into the mix of Patch Tuesday bulletins being released today.

Microsoft added two new security updates into the mix of Patch Tuesday bulletins being released today.

The additions – critical updates for Internet Explorer and the VBScript scripting engine – bring the total number of vulnerabilities addressed in the updates to nearly three dozen. Initially, Microsoft announced plans last week to release five bulletins today, but revealed Monday it was adding two new bulletins into the release for a total of seven.

According to Microsoft, the Direct2D, VBScripting and IE bulletins should be the top three priorities for organizations.

“At first take, it looked like Microsoft would continue the 2014 trend of keeping patch Tuesday relatively light,” said Ross Barrett, senior manager of security engineering at Rapid7. “There were only five advisories this month, two critical, three important.  Emphasis is on the past tense.”

The IE bulletin, MS14-10, addresses 23 publicly-disclosed vulnerabilities and one previously made public.

“The most severe vulnerabilities could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer,” according to Microsoft. “An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The vulnerability in the VBScripting engine in Windows is also a remote code execution bug that that can be exploited if a user views a malicious site. The vulnerability is caused when the scripting engine rendered in Internet Explorer does not properly handle objects in memory, and corrupts memory in a way that allows an attacker to execute code with the rights of the user.

Advertisement. Scroll to continue reading.

The final bulletin on Microsoft’s high priority list is MS14-007, which fixes a vulnerability in the Direct2D graphics component in Windows.

“This patch applies to Windows 7, 8, 8.1, RT, RT 8.1, Server 2008 R2, Server 2012, and Server 2012 R2,” said Marc Maiffret, CTO of BeyondTrust. “Additionally, exploitation can be achieved by delivering malicious 2D geometric figures through Internet Explorer. Therefore, attackers will be very interested in it, given that it affects the latest versions of Windows and can be exploited via drive-by mechanisms. Deploy this patch as soon as possible.”

There is one more critical bulletin on the Patch Tuesday menu however – MS14-008, which addresses a remote code execution issue in Microsoft Forefront. This does not affect all Forefront solutions: it only affects Forefront Protection 2010 for Exchange Server, Maiffret noted. Nonetheless, it is important to get this patch deployed as soon as possible, because attackers will be interested in any way to potentially compromise an Exchange server, he said.

The remaining bulletins are classified as ‘Important’ and impact Microsoft Windows and the .NET Framework. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.