Microsoft debugs IE and Windows with Patch Tuesday updates
Critical IE patches address vulnerabilities that could lead to remote code execution
IDG News Service - Another month of security updates from Microsoft means, once again, another round of fixes for the company's Internet Explorer (IE) Web browser, as well as a set of updates for the Windows operating system, for both the server and desktop editions.
Overall, Microsoft has issued six bulletins in July's "Patch Tuesday" collection of software fixes. Microsoft issues these collections on the second Tuesday of each month, hence the name "Patch Tuesday."
Two of the patches are marked as critical, meaning they address defects in Microsoft's software that could be readily exploited by malicious attackers to compromise systems. One of the critical bulletins is for IE, and the other one is for Windows.
Three of the remaining bulletins are denoted as "important" by Microsoft and one as "moderate." These bulletins cover Windows and the messaging component of Windows Server.
A single bulletin may cover multiple patches for a single piece of software, such as Microsoft Windows.
Wolfgang Kandek, chief technology officer for security firm Qualys, advised administrators to look at the IE patches first. IE update MS-14-037 addresses one publicly disclosed vulnerability and 23 privately reported vulnerabilities. The critical patches in this set all address vulnerabilities that could lead to remote code execution, which would allow an attacker to gain privileges on a machine by tricking a user to view a specially crafted Web page using the browser.
The critical Windows update MS14-038 covers a remote execution vulnerability that originates in a faulty way for how Windows opens files in the Windows Journal file format. Windows Journal is Microsoft's software for capturing handwritten notes on a computer. It can be used not only for touch-enabled devices, but also for other non-touch Windows computers to read files in that format.
If an organization does not use the Journal format, it may be a good idea to turn off the capability altogether in its Windows machines, so as to reduce the "attack surface" of these computers, Kandek said. In general, it is a good idea to turn off any unneeded services in computers if an administrator has the time to do this, he said.
While administrators are in the mode of testing and applying software patches, they should also take a close look at the critical patches Adobe has issued Tuesday for its Flash player.
Oracle shops should also prepare for Oracle's quarterly round of patches, due to be issued Thursday.
IE tends to get the most of the fixes in Patch Tuesday not necessarily because it is inherently more buggy than other Microsoft software, but because it is widely used software that could provide an entry point for outsiders to break into the computers that run the browser. As a result, it is under such scrutiny by both malicious attackers and security researchers.
IE is not necessarily any more buggy than other popular browsers, such as Google Chrome or Mozilla's Firefox. Both Google and Mozilla have automatic updates for their browsers, so a vulnerability can get addressed as soon as the developers create a patch to fix the problem, noted Amol Sarwate, the director of Qualys' Vulnerability Labs. As a result, such bugs and their attendant fixes are rarely called out in the press, unless they are critical in nature.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- Trends Shaping Software Management: 2014 Most IT executives recognize the relationship between mobile computing and worker productivity, and have long issued notebook computers and other mobile devices to...
- Software Asset Management: Pay Attention or Pay Up There is a wide range of options for managing software assets, from in-house solutions to the cloud to managed services providers. Read this...
- IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- Leveraging Flash Storage to Accelerate Oracle Real Application Clusters Join this webinar to understand the latest solid-state storage trends, the specific applications driving solid-state storage deployments and the benefits of deploying the... All Malware and Vulnerabilities White Papers | Webcasts