Patch/Configuration Management, Vulnerability Management

Patch Tuesday brings major IE overhaul, 66 bugs fixed in total


This month, Microsoft addressed 66 vulnerabilities in its software with seven patches, including a major cumulative fix for Internet Explorer.

On Tuesday, the tech giant published details on the roundup of bugs, and corresponding software updates, on its website. The highest priority bulletin was MS14-035, a critical patch to remediate 59 remote code execution (RCE) bugs affecting IE 6 through IE 11.

Among the addressed vulnerabilities, was a use-after-free remote code execution bug in IE 8 (CVE-2014-1770), which awaited a patch from Microsoft for about eight months, prior to the Tuesday release. HP's Zero Day Initiative (ZDI) team revealed details about the bug in late May, keeping with its 180-day deadline for publicly reporting vulnerabilities.

Luckily, there were no reports of zero-day attacks, taking advantage of the vulnerability, prior to the bug being fixed.

Also in this month's release, was another critical patch (MS14-036) resolving two RCE vulnerabilities in Windows, Office and Microsoft Lync, an instant messaging client. The vulnerabilities could allow an attacker to remotely execute malicious code if a user opened a “specially crafted” file or webpage, Microsoft's security bulletin said.

The remaining five patches addressed software flaws ranked “important” by the tech giant – a remote code execution (RCE) bug affecting Office, two information disclosure bugs in Windows and Lync Server, and a flaw in Windows that could allow denial of service.

Lastly, a patch for Windows (MS14-030) plugged a privately reported vulnerability which could allow “tampering.”

“The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system,” the Microsoft bulletin said. “By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.”

Microsoft continued, saying that it remediated the issue by strengthening RDP's encryption.

On Tuesday, Wolfgang Kandek, CTO at network security and vulnerability management firm Qualys, blogged that the massive patch for several versions of IE (MS14-035) was the “high priority item this month.”

“It addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the zero-day, CVE-2014-1770, in IE8,” Kandek said.

He later addressed the large window of opportunity for attackers plotting to exploit the flaws.  

“The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers, a page set up by attackers that exploits a popular theme (soccer's World Cup, for example) or just links to pages emailed to potential victims with short enticing leads,” he warned.

According to Microsoft, the company was not aware of any active attacks exploiting the long list of RCE bugs, prior to Patch Tuesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.