Surprise, surprise. Microsoft’s August Patch Tuesday focused heavily on Internet Explorer. Redmond rolled out 29 patches for IE. One of those patches plugs a hole that could allow a remote attacker to gain access to a computer over the Internet.
Beyond those 29 patches, Microsoft also issued 12 fixes to address 37 vulnerabilities. There are two critical patches in the bunch. Besides the IE critical patch, there’s also a critical hole in Microsoft’s OneNote, which is the company’s digital note-taking application. A hacker could take control of your machine if you don’t apply the patch.
“Microsoft clearly wants everyone to shake off the dog days of summer and pay attention to patching,” Ross Barrett, senior manager of engineering at security firm Rapid7, told us. “This month’s advance notice contains nine advisories spanning a range of Microsoft products.”
Tired of Patching IE?
Of course, security researchers agree that the browser should be IT’s top priority this month. MS14-051 includes 25 fixes for all supported versions of IE. The good news is that all of the vulnerabilities were kept private except CVE-2014-2819, which was publicly disclosed just last week at Black Hat.
Russ Ernst, Director of Product Management at Lumension, told us this flaw allows an attacker to bypass the application sandbox and elevate privilege -- but it must be combined with another remote code execution vulnerability to ultimately be successful.
“If you feel like you are constantly patching IE -- you are. A cumulative update for the browser is now the rule more so than the exception,” he said. “To help users keep up, Microsoft announced last week they will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, they will offer customers migration resources and upgrade guidance.”
What could also help is a new Microsoft-planned whitelist mechanism the company announced last week. The IE tool blocks ActiveX controls, including old versions of Java. Ernst called it a “great security win” for the enterprise and said IT should consider the creation of a group policy that blocks old versions of one of the bad guys’ favorite attack vectors.
Get Familiar With Whitelisting
Beyond IE, MS14-045 updates Microsoft Windows to address a vulnerability in a media library. Attackers can drive a remote code execution through media files embedded in Microsoft Office documents and an attack through simple Web browsing is possible as well, according to Wolfgang Kandek, CTO of security firm Qualys.
Kandek told us the remaining vulnerabilities are a mixed bag and address a denial-of-service problem in SQL Server (MS14-044), a SharePoint issue in MS14-050, a kernel problem in win32k.sys in MS14-045, and 2 ASLR bypasses in MS14-046 and MS14-047.
“Focus on the IE bulletin and take your time to evaluate the new whitelisting mechanism,” he suggested. If you are interested in a good description of a typical attack against a company, take a look at the details of the Gamma/Finfisher hack and go through the motions to see how your perimeter would have held up.”