Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Microsoft/Windows / Microsoft Patch Tuesday Stars IE
Microsoft Patch Tuesday Stars IE -- Again
Microsoft Patch Tuesday Stars IE -- Again
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Surprise, surprise. Microsoft’s August Patch Tuesday focused heavily on Internet Explorer. Redmond rolled out 29 patches for IE. One of those patches plugs a hole that could allow a remote attacker to gain access to a computer over the Internet.

Beyond those 29 patches, Microsoft also issued 12 fixes to address 37 vulnerabilities. There are two critical patches in the bunch. Besides the IE critical patch, there’s also a critical hole in Microsoft’s OneNote, which is the company’s digital note-taking application. A hacker could take control of your machine if you don’t apply the patch.

“Microsoft clearly wants everyone to shake off the dog days of summer and pay attention to patching,” Ross Barrett, senior manager of security engineering at security firm Rapid7, told us. “This month’s advance notice contains nine advisories spanning a range of Microsoft products.”

Tired of Patching IE?

Of course, security researchers agree that the browser should be IT’s top priority this month. MS14-051 includes 25 fixes for all supported versions of IE. The good news is that all of the vulnerabilities were kept private except CVE-2014-2819, which was publicly disclosed just last week at Black Hat.

Russ Ernst, Director of Product Management at Lumension, told us this flaw allows an attacker to bypass the application sandbox and elevate privilege -- but it must be combined with another remote code execution vulnerability to ultimately be successful.

“If you feel like you are constantly patching IE -- you are. A cumulative update for the browser is now the rule more so than the exception,” he said. “To help users keep up, Microsoft announced last week they will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, they will offer customers migration resources and upgrade guidance.”

What could also help is a new Microsoft-planned whitelist mechanism the company announced last week. The IE tool blocks ActiveX controls, including old versions of Java. Ernst called it a “great security win” for the enterprise and said IT should consider the creation of a group policy that blocks old versions of one of the bad guys’ favorite attack vectors.

Get Familiar With Whitelisting

Beyond IE, MS14-045 updates Microsoft Windows to address a vulnerability in a media library. Attackers can drive a remote code execution through media files embedded in Microsoft Office documents and an attack through simple Web browsing is possible as well, according to Wolfgang Kandek, CTO of security firm Qualys.

Kandek told us the remaining vulnerabilities are a mixed bag and address a denial-of-service problem in SQL Server (MS14-044), a SharePoint issue in MS14-050, a kernel problem in win32k.sys in MS14-045, and 2 ASLR bypasses in MS14-046 and MS14-047.

“Focus on the IE bulletin and take your time to evaluate the new whitelisting mechanism,” he suggested. If you are interested in a good description of a typical attack against a company, take a look at the details of the Gamma/Finfisher hack and go through the motions to see how your perimeter would have held up.”

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.