Patch Tuesday brings major IE overhaul, 66 bugs fixed in total

Share this article:
Microsoft warns of attacks leveraging Word zero-day, releases temp fix
The highest priority bulletin remediated 59 remote code execution (RCE) bugs affecting IE 6 through IE 11.

This month, Microsoft addressed 66 vulnerabilities in its software with seven patches, including a major cumulative fix for Internet Explorer.

On Tuesday, the tech giant published details on the roundup of bugs, and corresponding software updates, on its website. The highest priority bulletin was MS14-035, a critical patch to remediate 59 remote code execution (RCE) bugs affecting IE 6 through IE 11.

Among the addressed vulnerabilities, was a use-after-free remote code execution bug in IE 8 (CVE-2014-1770), which awaited a patch from Microsoft for about eight months, prior to the Tuesday release. HP's Zero Day Initiative (ZDI) team revealed details about the bug in late May, keeping with its 180-day deadline for publicly reporting vulnerabilities.

Luckily, there were no reports of zero-day attacks, taking advantage of the vulnerability, prior to the bug being fixed.

Also in this month's release, was another critical patch (MS14-036) resolving two RCE vulnerabilities in Windows, Office and Microsoft Lync, an instant messaging client. The vulnerabilities could allow an attacker to remotely execute malicious code if a user opened a “specially crafted” file or webpage, Microsoft's security bulletin said.

The remaining five patches addressed software flaws ranked “important” by the tech giant – a remote code execution (RCE) bug affecting Office, two information disclosure bugs in Windows and Lync Server, and a flaw in Windows that could allow denial of service.

Lastly, a patch for Windows (MS14-030) plugged a privately reported vulnerability which could allow “tampering.”

“The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system,” the Microsoft bulletin said. “By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.”

Microsoft continued, saying that it remediated the issue by strengthening RDP's encryption.

On Tuesday, Wolfgang Kandek, CTO at network security and vulnerability management firm Qualys, blogged that the massive patch for several versions of IE (MS14-035) was the “high priority item this month.”

“It addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the zero-day, CVE-2014-1770, in IE8,” Kandek said.

He later addressed the large window of opportunity for attackers plotting to exploit the flaws.  

“The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers, a page set up by attackers that exploits a popular theme (soccer's World Cup, for example) or just links to pages emailed to potential victims with short enticing leads,” he warned.

According to Microsoft, the company was not aware of any active attacks exploiting the long list of RCE bugs, prior to Patch Tuesday.

Share this article:

Sign up to our newsletters

More in News

BlackBerry acquires voice and data encryption firm Secusmart

On Tuesday it was announced that the phonemaker would purchase the voice and data encryption firm.

OTI report exposes economic costs of NSA spying

OTI report exposes economic costs of NSA spying

A report from New America OTI found that the NSA surveillance program has had a chilling effect on U.S. commerce and foreign policy.

Breach index: Encryption used in 23 percent of Q2 incidents

Breach index: Encryption used in 23 percent of ...

Out of the 237 disclosed data breaches last quarter, encryption was used in only 10 instances.