Patch Tuesday brings crucial IE fix
Microsoft issued four critical security bulletins and four additional important bulletins covering IE, Windows and Microsoft Office
IDG News Service - As anticipated, the latest round of Microsoft's Patch Tuesday monthly release of security fixes addresses a widely known Internet Explorer (IE) vulnerability already being exploited by malicious hackers.
The critical IE bulletin covers one publicly disclosed vulnerability and nine vulnerabilities not yet known by the public. The other three critical bulletins address flaws in the Windows OS. Three of the bulletins marked as important address issues with Microsoft Office, and the fourth remedies a problem in Silverlight.
Administrators should apply the patch for the IE vulnerabilities first, advised Wolfgang Kandek, chief technology officer of IT security firm Qualys.
This month's collection also marks the 10th anniversary of Microsoft's Patch Tuesday, which the company started in October 2003 in order to bundle security patches into monthly release cycles, which would allow system administrators to apply them all at the same time, rather than deal with each patch individually.
Although holding on to crucial patches for up to 30 days can be potentially problematic in terms of security -- at least for those patches that address publicly known vulnerabilities -- the monthly release cycle has been beneficial for the industry, in that it brings order to an otherwise unruly process of staying ahead of those who exploit vulnerabilities for nefarious purposes, Kandek said.
"Our perspective has certainly evolved from 10 years ago when Patch Tuesday was started. Back then vulnerabilities were clear cut and straightforward to understand. Today the amount of complexity that goes into the detection and remediation process is truly impressive," Kandek later added in an e-mail statement.
The IE public vulnerability, works by exploiting how IE accesses computer memory, allowing a maliciously designed Web page to gain user privileges on a computer. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," a Microsoft advisory warned.
When the vulnerability was made public last month, malicious hackers quickly put it to use. An exploit based on the vulnerability was added to the popular penetration testing framework Metasploit, where it could be used on its own, or as one in a chain of vulnerabilities designed to gain illicit access to computers. Most of the attacks targeted versions 8 and 9 of IE, though all currently supported versions of the browser could be affected.
The IE vulnerability might have been severe enough to warrant Microsoft issuing an out-of-band patch before this month's Patch Tuesday. Instead, the company issued instructions on how to temporarily fix the problem and scheduled the correction for this month's Patch Tuesday. The move was a wise one, Kandek said. "Every time you go out of band, it makes the work of the IT administrators harder, because they have to react to it and push out patches that they were not prepared for," he said.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Malware and Vulnerabilities White Papers | Webcasts