By Joab Jackson, IDG News Service | July 8th, 2014
Critical IE patches address vulnerabilities that could lead to remote code execution
Another month of security updates from Microsoft means, once again, another round of fixes for the company’s Internet Explorer (IE) Web browser, as well as a set of updates for the Windows operating system, for both the server and desktop editions.
Overall, Microsoft has issued six bulletins in July’s “Patch Tuesday” collection of software fixes. Microsoft issues these collections on the second Tuesday of each month, hence the name “Patch Tuesday.”
Two of the patches are marked as critical, meaning they address defects in Microsoft’s software that could be readily exploited by malicious attackers to compromise systems. One of the critical bulletins is for IE, and the other one is for Windows.
Three of the remaining bulletins are denoted as “important” by Microsoft and one as “moderate.” These bulletins cover Windows and the messaging component of Windows Server.
A single bulletin may cover multiple patches for a single piece of software, such as Microsoft Windows.
Wolfgang Kandek, chief technology officer for security firm Qualys, advised administrators to look at the IE patches first. IE update MS-14-037 addresses one publicly disclosed vulnerability and 23 privately reported vulnerabilities. The critical patches in this set all address vulnerabilities that could lead to remote code execution, which would allow an attacker to gain privileges on a machine by tricking a user to view a specially crafted Web page using the browser.
The critical Windows update MS14-038 covers a remote execution vulnerability that originates in a faulty way for how Windows opens files in the Windows Journal file format. Windows Journal is Microsoft’s software for capturing handwritten notes on a computer. It can be used not only for touch-enabled devices, but also for other non-touch Windows computers to read files in that format.
If an organization does not use the Journal format, it may be a good idea to turn off the capability altogether in its Windows machines, so as to reduce the “attack surface” of these computers, Kandek said. In general, it is a good idea to turn off any unneeded services in computers if an administrator has the time to do this, he said.
While administrators are in the mode of testing and applying software patches, they should also take a close look at the critical patches Adobe has issued Tuesday for its Flash player.
Oracle shops should also prepare for Oracle’s quarterly round of patches, due to be issued Thursday.
IE tends to get the most of the fixes in Patch Tuesday not necessarily because it is inherently more buggy than other Microsoft software, but because it is widely used software that could provide an entry point for outsiders to break into the computers that run the browser. As a result, it is under such scrutiny by both malicious attackers and security researchers.
IE is not necessarily any more buggy than other popular browsers, such as Google Chrome or Mozilla’s Firefox. Both Google and Mozilla have automatic updates for their browsers, so a vulnerability can get addressed as soon as the developers create a patch to fix the problem, noted Amol Sarwate, the director of Qualys’ Vulnerability Labs. As a result, such bugs and their attendant fixes are rarely called out in the press, unless they are critical in nature.