You are here: Home / Microsoft/Windows / Microsoft Patch Tuesday Stars IE
Microsoft Patch Tuesday Stars IE -- Again
Microsoft Patch Tuesday Stars IE -- Again
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus

Surprise, surprise. Microsoft’s August Patch Tuesday focused heavily on Internet Explorer. Redmond rolled out 29 patches for IE. One of those patches plugs a hole that could allow a remote attacker to gain access to a computer over the Internet.

Beyond those 29 patches, Microsoft also issued 12 fixes to address 37 vulnerabilities. There are two critical patches in the bunch. Besides the IE critical patch, there’s also a critical hole in Microsoft’s OneNote, which is the company’s digital note-taking application. A hacker could take control of your machine if you don’t apply the patch.

“Microsoft clearly wants everyone to shake off the dog days of summer and pay attention to patching,” Ross Barrett, senior manager of security engineering at security firm Rapid7, told us. “This month’s advance notice contains nine advisories spanning a range of Microsoft products.”

Tired of Patching IE?

Of course, security researchers agree that the browser should be IT’s top priority this month. MS14-051 includes 25 fixes for all supported versions of IE. The good news is that all of the vulnerabilities were kept private except CVE-2014-2819, which was publicly disclosed just last week at Black Hat.

Russ Ernst, Director of Product Management at Lumension, told us this flaw allows an attacker to bypass the application sandbox and elevate privilege -- but it must be combined with another remote code execution vulnerability to ultimately be successful.

“If you feel like you are constantly patching IE -- you are. A cumulative update for the browser is now the rule more so than the exception,” he said. “To help users keep up, Microsoft announced last week they will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, they will offer customers migration resources and upgrade guidance.”

What could also help is a new Microsoft-planned whitelist mechanism the company announced last week. The IE tool blocks ActiveX controls, including old versions of Java. Ernst called it a “great security win” for the enterprise and said IT should consider the creation of a group policy that blocks old versions of one of the bad guys’ favorite attack vectors.

Get Familiar With Whitelisting

Beyond IE, MS14-045 updates Microsoft Windows to address a vulnerability in a media library. Attackers can drive a remote code execution through media files embedded in Microsoft Office documents and an attack through simple Web browsing is possible as well, according to Wolfgang Kandek, CTO of security firm Qualys.

Kandek told us the remaining vulnerabilities are a mixed bag and address a denial-of-service problem in SQL Server (MS14-044), a SharePoint issue in MS14-050, a kernel problem in win32k.sys in MS14-045, and 2 ASLR bypasses in MS14-046 and MS14-047.

“Focus on the IE bulletin and take your time to evaluate the new whitelisting mechanism,” he suggested. If you are interested in a good description of a typical attack against a company, take a look at the details of the Gamma/Finfisher hack and go through the motions to see how your perimeter would have held up.”

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
Protect 100% of your Data The prevalence of laptops and mobile devices in the enterprise makes corporate data increasingly vulnerable to loss and breach. And yet, workforce productivity is now inextricably linked to mobility. Click here to access the white paper "Top 10 Endpoint Backup Mistakes" to learn more about how to confidently protect data across platforms and devices while also providing features designed to enhance the end user experience.

If you're a Google Gmail user, it's bad news. About 5 million Gmail addresses and plain text passwords were leaked to an online forum on Tuesday. The good news: the data is old, but better security is still needed.

The tech giant is expanding its cloud solutions which promise secure access to enterprise phone, email, and storage apps. The latest addition to the Dell Mobile Workspace involves Vonage and MS Office 365.

The world's highest-capacity SD card is being offered by SanDisk, 512 gigabytes of flash storage aimed at professionals shooting 4K Ultra HD video or high-speed burst mode photography. Price: $800.

Product Information and Resources for Technology You Can Use To Boost Your Business

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.