On Patch Tuesday, Microsoft releases nine patches for 37 bugs
The tech giant's monthly security update includes two critical patches for IE and Windows.
On Patch Tuesday, Microsoft shipped nine fixes for 37 bugs in its software, bringing a cumulative update for Internet Explorer and addressing security issues in Windows, Office, SharePoint Server, SQL Server software, and the .NET Framework.
In an August security bulletin, the tech giant detailed the privately and publicly disclosed flaws. One of two critical patches, MS14-051, remediated the bulk of vulnerabilities this month, 26 bugs in IE of which the most severe could allow remote code execution (RCE).
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” Microsoft's security bulletin said. To exploit the bugs, an attacker could simply convince a user to view a malicious webpage in the IE web browser, the company warned.
The cumulative fix is for users running IE 6 through IE 11.
The second critical patch this month, MS14-043, also addresses an RCE flaw, one privately reported bug in Windows. In an attack scenario, an intruder could exploit the vulnerability if a user opened a malicious Office file that “invokes Windows Media Center resources,” Microsoft said.
Other patches in the monthly update entailed seven “important” fixes for an RCE bug in Microsoft OneNote; elevation of privilege flaws in Windows, SQL Server and SharePoint Server; and issues in Microsoft .NET Framework and Windows that could allow security feature bypass.
On Tuesday, Russ Ernst, director of product management for vulnerability management products at Lumension, took to the company blog to weigh in on Microsoft's release.
"If you feel like you are constantly patching IE – you are,” Ernst wrote.
Last month, Microsoft also led its bulletin list with an IE-heavy security update, which plugged a slew of RCE bugs affecting the browser. That patch, MS14-037, resolved 24 critical vulnerabilities in the browser.
“A cumulative update for the browser is now the rule more so than the exception," Ernst continued. "To help users keep up, Microsoft announced last week they will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, they will offer customers migration resources and upgrade guidance," he said.
Among the dozens of IE bugs remediated with bulletin MS14-051, was one vulnerability (CVE-2014-2819) that was publicly disclosed at the Black Hat hacking conference in Las Vegas last week, Ernst noted.
“It allows an attacker to bypass the application sandbox and elevate privilege, but it must be combined with another remote code execution vulnerability to ultimately be successful,” he explained.