Patch Tuesday fixes critical Internet Explorer vulnerabilities

Operating Systems

by Ben Sullivan| 12 February 2014

31 vulnerabilities addressed, with four ‘critical’ and three ‘important’ bulletins.

Last minute Internet Explorer fixes have been ushered in on this month's Patch Tuesday, one of which saves the browser from a publicly known vulnerability.

"As if making up for lost time, Internet Explorer has returned to the mix with a bang," said Ziv Mador from security firm Trustwave.

"This month's cumulative update covers 24 individual CVEs, twenty-two of which are rated "Critical" and, although three of the bulletins (MS14-005, MS14-007, MS14-011) don't directly affect Internet Explorer, the web browser is used as a primary attack vector in those cases."

Last week, Microsoft originally stated that it would be issuing five bulletins in February, but two extra bulletins were added this week.

Overall, February's Patch Tuesday addresses 31 vulnerabilities, with four of the bulletins being earmarked as 'critical'.

Mador commented on one of the critical bulletins that pledges changes to Microsoft Forefront Protection for Exchange 2010.

"MS14-008 is also an interesting "Critical" bulletin. It describes a vulnerability in the malware and spam scanner Microsoft Forefront Protection for Exchange 2010. The vulnerability allows for an attacker to create a malicious email that will cause the scanner to execute arbitrary code. It's an odd case where the security controls that are put in place to protect us are used against us."

Other bulletins include MS14-005, marked as 'important', which resolves the publicly disclosed in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer.

"By exploiting this vulnerability, an attacker could read files on the user's local file system or read content of web domains where the user is currently authenticated."

MS14-006 fixes a vulnerability that could lead to denial of service if an attacker sends a large number of specially crafted IPv6 packets to an affected system. To exploit the vulnerability, an attacker's system must belong to the same subnet as the target system.

This security update is rated "Important" for all supported editions of Windows 8, Windows RT, and Windows Server 2012.

MS14-007, set at 'critical', changes a vulnerability in Direct2D that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

Find the full explanations to this month's Patch Tuesday here.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

716 people like this.
1554 people follow this.

Operating Systems Intelligence

Buy the latest industry research online today!
See more

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.