Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Number of IE Vulnerabilities Fixed by Microsoft Doubled in 2014: Report

ESET has published a new report focusing on Windows vulnerabilities fixed by Microsoft in 2014 and their exploitation.

ESET has published a new report focusing on Windows vulnerabilities fixed by Microsoft in 2014 and their exploitation.

According to researchers, of all the vulnerabilities addressed by Microsoft last year, most of them affected Internet Explorer. Of the total of approximately 240 security holes, seven were exploited by malicious actors before the company got a chance to patch them (zero-days). Compared to 2013, the number of Internet Explorer flaws doubled last year.

A large majority of the Internet Explorer bugs addressed by Microsoft were remote code execution (RCE) vulnerabilities that could have been exploited for malware distribution through drive-by download attacks, the study shows.

Last year, Microsoft also addressed tens of vulnerabilities affecting kernel mode drivers, the .NET framework, the Windows GUI subsystem driver (win32k.sys), Office, and various Windows user mode components. Nine of these security holes were zero-days, ESET noted.

Vulnerabilities in Win32K, kernel mode drivers, and .NET were mostly leveraged for local privilege escalation (LPE). Microsoft Office vulnerabilities, on the other hand, were largely exploited for remote code execution. Flaws in Windows user mode components were used for both RCE and LPE, the security firm said.

Compared to 2013, the number of vulnerabilities patched by Microsoft in its products, with the exception of Internet Explorer, decreased considerably in 2014.

Vulnerabilities fixed by Microsoft in 2013 and 2014

“We can predict for next year that drive-by download attacks will remain as the main avenue for exploiting vulnerabilities and delivering malicious code. Due to the significant and increasing complexity of exploit development, we also can predict that such exploits will continue to be developed by specialist engineers for use in targeted attacks,” Baranov Artem, malware researcher at ESET Russia, noted in the report.

ESET’s report also highlights the various mitigation techniques introduced by Microsoft last year for Windows, Internet Explorer, and the EMET tool.

Advertisement. Scroll to continue reading.

Coordinated vulnerability disclosure

In a blog post published on Sunday, Chris Betz, senior director of Microsoft’s Security Response Center, called for better coordinated vulnerability disclosure.

“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree,” Betz said. “Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.”

The blog post came in response to Google’s decision to release the details of a Windows 8.1 vulnerability before Microsoft could fix it. Google published the information 90 days after Microsoft was notified, as per the company’s disclosure policy. Microsoft said it had asked Google to wait until January 13, but the search giant apparently refused to do so.

Last week, Microsoft announced its decision to provide advance Patch Tuesday notifications only to Premier customers and organizations involved in the company’s security program.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.