Menu
Internet Explorer is still the star of Patch Tuesday

Internet Explorer is still the star of Patch Tuesday

Microsoft has fixed 83 flaws in its browser in the last two months.

It's déjà vu all over again. After a mind-blowing 59 separate vulnerabilities were patched in Internet Explorer last month, the Microsoft Web browser is hogging the spotlight again in July.

As predicted last week, Microsoft published six new security bulletins for the July Patch Tuesday, and only two of them are rated as Critical. There are also three Important, and one Moderate security bulletin this month. The two Critical security bulletins are a cumulative update for Internet Explorer and a patch for an issue with Windows Journal that could allow an attacker to execute malicious code remotely on the vulnerable system. The Important security bulletins address flaws with the on-screen keyboard, ancillary function driver (AFD) and DirectShow, and the Moderate security bulletin deals with a potential denial of service vulnerability in Microsoft Service Bus.

It seems concerning that Internet Explorer still has so many vulnerabilities. Microsoft has fixed 83 flaws in its browser just in the last 45 days or so. "It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal," said Marc Maiffret, CTO of BeyondTrust.

The other Critical security bulletin--MS14-038--is an example of how obscure or rarely used software can still pose a potential risk. Windows Journal is installed by default in most supported versions of Windows but isn't commonly used.

"In this case, the attack surface can be greatly reduced by uninstalling the affected software or removing associations with the unused program," said Craig Young, security researcher for Tripwire. "One of the best tactics for hardening systems is to remove software or features which are not needed. Doing so protects systems by limiting the lines of code exposed to an attacker and every line of code presents new opportunities for attacks to succeed."

"MS14-039, MS14-040, and MS14-041 fix the issues disclosed in this year's pwn2own contest via the Zero Day Initiative's responsible disclosure process," said Ross Barrett, senior manager of security engineering for Rapid7. "They are all local, elevation of privilege issues by which an unprivileged user or process may gain greater access. They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence. Now that ZDI's embargo has been fulfilled, that exploit code may become publicly available."

Tyler Reguly, manager of security research for Tripwire, sums up with this advice. "IT teams will want to focus on the two critical issues affecting Internet Explorer and Windows Journal. If you cannot apply updates immediately, there are workarounds for both of these critical flaws. Users can switch to a new browser, making sure to set the new browser as the default, and disable any Windows Journal .JNT file associations. While a patch is always preferred, limiting the attack surface is a good backup."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityInternet Explorer

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments