Another Month, Another IE-Focused Patch Tuesday

Microsoft rolled out 59 vulnerabilities for Internet Explorer in June. But the IE-patching party is not over yet.

Redmond on Tuesday published six new security bulletins. Two of them are rated critical and three are rated important. One is classified as moderate. Not surprisingly, the two critical bulletins are a cumulative update for Internet Explorer and a patch for a note-taking app Windows Journal issue that could open the door for attackers.

Meanwhile, the important bulletins tackle flaws in DirectShow, the on-screen keyboard and ancillary function driver, or AFD. The moderate security bulletin addresses a potential denial of service vulnerability in Microsoft Service Bus.

No Time to Relax

We caught up with Craig Young, security researcher at IT security software firm Tripwire, to get his thoughts on JulyEUs Patch Tuesday. He told us Windows Server administrators will be relieved that none of the holes Microsoft is plugging this month can be used for remote code execution without user interaction.

EUThere is a long list of Internet Explorer CVEs as usual but, apart from that, this month is primarily addressing bugs that are more likely to be used after an attacker has gained low privileged code execution,EU Young said. EUThis is not a good reason for security teams to relax this month, though. Microsoft expects all but one of the bulletins will be exploited within the next 30 days, so itEUs important to deploy these updates as soon as possible.EU

As Young sees it, the critical vulnerability described in MS14-038 is a strong example of how attackers can abuse unused software. He noted that Windows Journal -- which is installed by default but isnEUt commonly used -- can lead to arbitrary code execution.

EUIn this case, attack surface can be greatly reduced by uninstalling the affected software or removing associations with the unused program,EU Young...

Comments are closed.