Next week, Microsoft plans to issue four patches, including one critical fix, for vulnerabilities affecting Windows, Internet Explorer, Microsoft Lync Server and the .NET Framework.
In an advance notification for its monthly Patch Tuesday update, the tech giant revealed that the sole “critical” patch in the bunch would address remote code execution issues in Internet Explorer (IE). Released Thursday, the security bulletin also said that the three remaining scheduled patches were ranked “important.” The bulletins will rectify vulnerabilities allowing denial-of-service and elevation of privilege.
Ross Barrett, senior manager of security engineering at Rapid7, told SCMagazine.com in prepared email commentary, that the denial-of-service issues affecting the .NET Framework, Windows and Microsoft Lync Server, and elevation of privilege concerns impacting Windows, were “nothing to ignore, but definitely secondary to the IE issue unless it turns out that some, or all, of these [bugs] are under active exploitation,” he wrote.
Chris Goettl, product manager with Shavlik, noted in emailed commentary that the priority patch for IE this month, keeps in line with other critical bulletins issued by Microsoft throughout the summer.
“For the past few months we have seen large numbers of vulnerabilities primarily around memory corruption and memory leaks being resolved in IE,” Goettl wrote. “It's likely we are going to see a continuation of that trend that started back in June, but it's probably going to be a fairly clean month for IE.”
In August, Microsoft shipped nine fixes in total for 37 bugs in its software. Of note, one of the two critical fixes last month remediated 26 bugs in IE, of which the most severe could allow remote code execution (RCE).
The tech giant was also forced to reissue a problematic update (MS14-045) that month after the initial release caused some users' systems to crash.
