Microsoft released seven patches last night, adding two more to its planned release of five.
Of these, four were rated as critical and three as important. Tyler Reguly, manager of security research at Tripwire, said: “The biggest discussion point with Microsoft’s patch drop this month is probably the change in bulletins. To go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute.“
Added was a critical update for Internet Explorer, MS14-010 that addresses one public and 23 privately disclosed issues in Internet Explorer. Microsoft said that an attacker who successfully exploited the most severe of these issues could execute code at the level of the logged on user. This affects all versions of Explorer from IE6 on Windows XP to IE11 on Windows RT.
Lamar Bailey, director of security research at Tripwire, said: “IE takes the lead with over 20 CVEs this month and is definitely the most critical issue to get patched. Given the late additions to this patch cycle, companies will want to make sure to take a careful look and test carefully before rolling it out to everyone.”
Microsoft also rated two other critical-rated patches MS14-007 and MS14-011 as the other most important to apply.
Wolfgang Kandek, CTO of Qualys, said: “MS14-007 is next in our priority list, at least if you are running Windows 7 or later. The patch fixes an issue in the graphics library DirectWrite. The attack would come through the browser in a malicious webpage that uses the <SVG> tag for Scalable Vector Graphics, a good reminder that new technology is usually not free of implementation vulnerabilities.
“The two remaining critical Microsoft bulletins are MS14-011, addressing a vulnerability in VBScript, the scripting engine used in IE, again with an attack vector of malicious webpages, and MS14-008, addressing a file format vulnerability in Forefront for Exchange, a legacy anti-spam product for Microsoft Exchange.”
Bailey said: “MS14-008 is an interesting critical update because while the issue is critical but it may not be possible to actually get to the vulnerable code. This vulnerability only affects Forefront Protection for Exchange and not to be confused with other Forefront products. Microsoft has taken a scalpel and cut out the vulnerable code so this will not be an issue going forward.”
In the important updates, MS14-009 fixes vulnerabilities in the .NET Framework that could allow elevation of privilege, MS14-005 fixes a vulnerability in the Microsoft XML Core Services which could allow information disclos
ure and MS14-006 addresses a vulnerability in IPv6 that could allow a denial-of-service attack.
Ross Barrett, senior manager of security engineering at Rapid7, said: “The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege. Not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”