Microsoft pushes eight fixes for 13 bugs in Windows, IE and Office

Share this article:
The zero-day vulnerability is a remote code execution flaw in Word 2010.
The tech giant addressed 13 bugs in its products, including several critical RCE vulnerabilities.

In its monthly security update, Microsoft released eight patches for 13 bugs in Windows, Internet Explorer (IE) and Office.

According to its Patch Tuesday security bulletin, two fixes (MS14-029 and MS14-022) are deemed “critical," rectifying multiple remote code execution (RCE) bugs in IE and Microsoft Office server.

The remaining six patches were ranked “important" by Microsoft, and fixed additional RCE flaws in Office and elevation of privilege bugs in Windows. Other vulnerabilities in Windows, which could allow denial of service, and an Office flaw that could allow a security feature bypass, were also mitigated with the important updates.

Among this month's two critical patches, bulletin MS14-029 claims top priority for administrators.

The patch resolves two privately reportedly flaws in IE, which could allow remote code execution if a user views a malicious webpage using the browser.

“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” the Microsoft bulletin warned. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

Microsoft also noted that one of the RCE vulnerabilities (CVE-2014-1815) addressed with bulletin MS14-029, had already been used in “limited attacks” against users. A researcher at Google, Clément Lecigne, reported the memory corruption bug, which is reminiscent of an IE flaw leveraged in April zero-day attacks.

Microsoft speedily attended to the latter vulnerability (CVE-2014-1776) with a May emergency fix.

In that instance, users running the company's no-longer-supported software, Windows XP, were among those that benefited from the unscheduled update (which was also included in this month's Patch Tuesday bulletin for those who've yet to employ the fix).

On Tuesday, Ross Barrett, senior manager of security engineering at Rapid7, said in prepared email comments to SCMagazine.com, that users can no longer rely on such goodwill moving forward, regarding additional patches for XP.

Barrett wrote that "this is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available." He explained, “IE 6, 7, and 8 are vulnerable on Windows 2003 Service Pack 2, [and] this would historically have mapped to the same scope of XP patches, but not this time. Anyone still using XP just got a little less secure – not that they were well off to begin with."

Also noted in Microsoft's Patch Tuesday release, was a second critical patch, MS14-022. 

The update resolves multiple RCE bugs in Microsoft Office server, with the most severe vulnerabilities allowing attacks by a remote authenticated intruder. As noted in the bulletin, exploitation could occur if an attacker sends specially crafted page content to a targeted SharePoint server.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end of 2015

Gartner: 75 percent of mobile apps will fail ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.