Patch/Configuration Management, Vulnerability Management

Microsoft addresses 29 bugs in IE, Windows, with six bulletins

After addressing a slew of remote code execution (RCE) bugs in Internet Explorer last month, Microsoft is back at it again, releasing fixes in an IE-heavy security update.

On Patch Tuesday, the tech giant unveiled six patches as scheduled for its Windows, IE and Server software. The top priority patch in the bunch, MS14-037, resolved 24 critical vulnerabilities in IE, with the most severe flaws allowing RCE if a user views a malicious webpage in the browser, a Microsoft security bulletin said.

The second “critical” patch, MS14-038, rectified a privately reportedly bug in Windows Journal that could also result in remote code execution if a victim opens a malicious Journal file.

Three patches with an “important” severity rating where also included in July's update – MS14-039, MS14-040, MS14-041 – which all plug Windows issues that could allow an attacker elevation of privilege on targeted systems.

Last in Microsoft's patches was bulletin MS14-042, a “moderate” fix for Microsoft Service Bus for Windows Server, a messaging service used by third-party web applications. Exploitation of the Service Bus flaw could allow denial of service “if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system,” Microsoft's bulletin said.

On Tuesday, the tech giant also published three advisories to further protect its users: an update for Windows that improves credential protection and domain authentication controls, and an update that disables RC4 encryption in Transport Layer Security (TLS) to help prevent man-in-the-middle attacks exposing data in encrypted web sessions, and Security Advisory 2755801, which brings the latest security updates for Adobe Flash Player in IE, also released on Tuesday.

That day, Qualys CTO Wolfgang Kandek addressed Microsoft's Patch Tuesday lineup on his company's blog, advising administrators to treat the Adobe Flash fix as their top concern, after the IE patch (MS14-037).

“Unless you are running IE 10, IE 11 or Google Chrome you should look at this month's Adobe Flash fix as your second highest priority,” Kandek said. “Google Chrome, IE10 and IE11 embed Adobe Flash and update it automatically, so in that case you and your users do not have to do that. Everybody else – Internet Explorer 9 and lower, Firefox and Mac OS X users – should update their Flash installation manually.”

Still, the “biggest update” in the pack, MS14-037, should claim the most attention this month, Kandek continued.

“MS14-037 addresses 24 vulnerabilities in Internet Explorer (IE), almost all user-after-free type vulnerabilities and is valid for all versions (6-11) of Microsoft's browser. There are no zero days open for IE, which would dictate the shortest turn-around possible for the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation,” he advised.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.