Menu
Microsoft Edge browser gets its first critical patches

Microsoft Edge browser gets its first critical patches

Microsoft Edge gets 4 security fixes in its first patch Tuesday, while older sibling Internet Explorer got 17

Released a little over a month ago, Microsoft's new Edge browser has gotten its first set of critical security patches.

As part of its monthly round of security fixes, colloquially known as Patch Tuesday, Microsoft released a critical bulletin, MS15-05, with four patches covering vulnerabilities in the Windows 10-only Edge browser.

Overall this month, Microsoft issued 12 bulletins covering 56 vulnerabilities. Five bulletins were deemed as critical, meaning they should be addressed as soon as possible.

In addition to Edge, this month's patches cover issues in Internet Explorer, Windows, Office, Exchange, the .Net framework, the Hyper-V virtual machine, Active Directory, and Skype for Business.

Microsoft built Edge as the next generation browser for Windows, one designed to replace Internet Explorer over time.

All the Edge vulnerabilities Microsoft disclosed this month were also found in Internet Explorer, which was covered by MS15-094, pointed out Wolfgang Kandek, chief technology officer for IT security firm Qualys.

"Someone could attack you, whether you have either Internet Explorer or Edge, using a specially crafted Web page," Kandek said.

The duplicates show the code overlap between Edge and IE, indicating that the engineering team developing Edge used at least part of the code base for IE, Kandek said.

But the fact that Edge had fewer vulnerabilities this month than IE, which had 17, shows that Microsoft's engineering effort in building a more secure browser seems to be paying off, Kandek said.

It also shows how difficult it is to write software that is error-free and immune to attackers, he said.

Because Windows 10 hasn't been widely installed in the enterprise yet, reviewing the Edge bulletin may not be the top priority on administrators' to-do lists.

Instead, the bulletins that they should take a look at first are MS15-097 and MS15-099, which describes a number of critical vulnerabilities found in Office 2007 and 2010, advised Amol Sarwate, Qualys director of engineering.

"There are already attacks going on in the wild" that use these vulnerabilities, Sarwate said. Many are remote code execution vulnerabilities, meaning the user only needs to open a maliciously-crafted Excel or Word document, and the code within can execute actions without the user's knowledge.

Those shops running Microsoft Exchange and Active Directory should also take a close look at MS15-096 and MS15-103, covering Active Directory and Microsoft Exchange, respectively.

The Exchange vulnerability could allow a malicious attacker to gain entry to a user's files through the Outlook Web Access (OWA) client.

The Active Directory flaw makes the software vulnerable to a denial of service (DoS) attacks.

Active Directory is typically a critical application for businesses. It keeps track of all the user accounts, and it is not usually exposed to the Internet. But the administrator still should remain diligent in keeping it patched.

"If someone breaks into your network, Active Directory may be the first thing they will try to attack," Sarwate said.

Thus far this year, Microsoft has issued 105 bulletins, and Qualys estimates that number to hit 145 by the end of the year. This is up from years past. In 2014, Microsoft issued 106 bulletins and 100 in 2011. (Those issues that Microsoft finds internally are typically not publicized and instead are patched with routine updates before attackers find out about them.)

"I don't think software is becoming any more vulnerable," Kandek said. Rather a rising number of vulnerabilities stems from more third party researchers and attackers finding problems, coupled with the growing numbers of different products, versions and platforms that products run on.

"It's a good indicator for how important security is becoming," Kandek said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments