Menu
Internet Explorer is still the star of Patch Tuesday

Internet Explorer is still the star of Patch Tuesday

Microsoft has fixed 83 flaws in its browser in the last two months.

It's déjà vu all over again. After a mind-blowing 59 separate vulnerabilities were patched in Internet Explorer last month, the Microsoft Web browser is hogging the spotlight again in July.

As predicted last week, Microsoft published six new security bulletins for the July Patch Tuesday, and only two of them are rated as Critical. There are also three Important, and one Moderate security bulletin this month. The two Critical security bulletins are a cumulative update for Internet Explorer and a patch for an issue with Windows Journal that could allow an attacker to execute malicious code remotely on the vulnerable system. The Important security bulletins address flaws with the on-screen keyboard, ancillary function driver (AFD) and DirectShow, and the Moderate security bulletin deals with a potential denial of service vulnerability in Microsoft Service Bus.

It seems concerning that Internet Explorer still has so many vulnerabilities. Microsoft has fixed 83 flaws in its browser just in the last 45 days or so. "It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal," said Marc Maiffret, CTO of BeyondTrust.

The other Critical security bulletin--MS14-038--is an example of how obscure or rarely used software can still pose a potential risk. Windows Journal is installed by default in most supported versions of Windows but isn't commonly used.

"In this case, the attack surface can be greatly reduced by uninstalling the affected software or removing associations with the unused program," said Craig Young, security researcher for Tripwire. "One of the best tactics for hardening systems is to remove software or features which are not needed. Doing so protects systems by limiting the lines of code exposed to an attacker and every line of code presents new opportunities for attacks to succeed."

"MS14-039, MS14-040, and MS14-041 fix the issues disclosed in this year's pwn2own contest via the Zero Day Initiative's responsible disclosure process," said Ross Barrett, senior manager of security engineering for Rapid7. "They are all local, elevation of privilege issues by which an unprivileged user or process may gain greater access. They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence. Now that ZDI's embargo has been fulfilled, that exploit code may become publicly available."

Tyler Reguly, manager of security research for Tripwire, sums up with this advice. "IT teams will want to focus on the two critical issues affecting Internet Explorer and Windows Journal. If you cannot apply updates immediately, there are workarounds for both of these critical flaws. Users can switch to a new browser, making sure to set the new browser as the default, and disable any Windows Journal .JNT file associations. While a patch is always preferred, limiting the attack surface is a good backup."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftInternet Explorerpatches

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments