You are here: Home / World Wide Web / Microsoft Patch Tuesday Stars IE
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Microsoft Patch Tuesday Stars IE -- Again
Microsoft Patch Tuesday Stars IE -- Again
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus

Surprise, surprise. Microsoft’s August Patch Tuesday focused heavily on Internet Explorer. Redmond rolled out 29 patches for IE. One of those patches plugs a hole that could allow a remote attacker to gain access to a computer over the Internet.

Beyond those 29 patches, Microsoft also issued 12 fixes to address 37 vulnerabilities. There are two critical patches in the bunch. Besides the IE critical patch, there’s also a critical hole in Microsoft’s OneNote, which is the company’s digital note-taking application. A hacker could take control of your machine if you don’t apply the patch.

“Microsoft clearly wants everyone to shake off the dog days of summer and pay attention to patching,” Ross Barrett, senior manager of security engineering at security firm Rapid7, told us. “This month’s advance notice contains nine advisories spanning a range of Microsoft products.”

Tired of Patching IE?

Of course, security researchers agree that the browser should be IT’s top priority this month. MS14-051 includes 25 fixes for all supported versions of IE. The good news is that all of the vulnerabilities were kept private except CVE-2014-2819, which was publicly disclosed just last week at Black Hat.

Russ Ernst, Director of Product Management at Lumension, told us this flaw allows an attacker to bypass the application sandbox and elevate privilege -- but it must be combined with another remote code execution vulnerability to ultimately be successful.

“If you feel like you are constantly patching IE -- you are. A cumulative update for the browser is now the rule more so than the exception,” he said. “To help users keep up, Microsoft announced last week they will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, they will offer customers migration resources and upgrade guidance.”

What could also help is a new Microsoft-planned whitelist mechanism the company announced last week. The IE tool blocks ActiveX controls, including old versions of Java. Ernst called it a “great security win” for the enterprise and said IT should consider the creation of a group policy that blocks old versions of one of the bad guys’ favorite attack vectors.

Get Familiar With Whitelisting

Beyond IE, MS14-045 updates Microsoft Windows to address a vulnerability in a media library. Attackers can drive a remote code execution through media files embedded in Microsoft Office documents and an attack through simple Web browsing is possible as well, according to Wolfgang Kandek, CTO of security firm Qualys.

Kandek told us the remaining vulnerabilities are a mixed bag and address a denial-of-service problem in SQL Server (MS14-044), a SharePoint issue in MS14-050, a kernel problem in win32k.sys in MS14-045, and 2 ASLR bypasses in MS14-046 and MS14-047.

“Focus on the IE bulletin and take your time to evaluate the new whitelisting mechanism,” he suggested. If you are interested in a good description of a typical attack against a company, take a look at the details of the Gamma/Finfisher hack and go through the motions to see how your perimeter would have held up.”

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
ISACA® offers a global community of more than 115,000 IS/IT constituents in over 180 countries. We develop and deliver industry-leading certifications, education, research and business frameworks. We equip individuals to be leaders in the fast-changing world of information systems and IT - Learn More>
Product Information and Resources for Technology You Can Use To Boost Your Business

The federal government has issued an advisory warning that large swaths of critical industrial-control infrastructure could be vulnerable to hacks that take advantage of the Network Time Protocol.

Remember the classic BlackBerry that took the cell phone market by storm in its heyday? Well, it’s retro time at the Canadian handset maker as it rolls out the aptly-named BlackBerry Classic.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.