Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 16 May, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Seven patches from Microsoft sees IE flaw fixed

by The Gurus
June 11, 2014
in Editor's News
Share on FacebookShare on Twitter

Microsoft released seven bulletins last night, patching two critical flaws and addressing 66 Common Vulnerabilities and Exposures for Windows, Internet Explorer and Office.
 
Wolfgang Kandek, CTO of Qualys, said that this brings the half-year total to 36, ten behind last year’s pace which was 46. “We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year,” he said.
 
“This runs counter to the general tendency of the year which has already seen its shares of big breaches, zero-days and the big Heartbleed vulnerability in OpenSSL. Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.”
 
Regarding priorities, Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, said that the bulletin MS14-035 for Internet Explorer resolves 59 items, including CVE-2014-1770. “The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cyber criminal,” he said.
 
“We still haven’t seen any active attacks attempting to exploit any of the other CVEs addressed by this bulletin.  While there are a number of things being addressed this time around, it’s important to note that, to our knowledge, none of these now-addressed CVEs have caused any customer impact to date.”
 
Kandek said: “This addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the 0-day CVE-2014-1770 in IE8. This issue is not under attack, but it was disclosed two and a half weeks ago by vulnerability broker ZDI.
 
“ZDI had notified Microsoft last October of the use-after-free flaw in the CMarkup object and, when Microsoft did not address it in May, went public with an advisory. The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction. The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers. Given the volume of work that we do through web browsers, apply this update first.”
 
Craig Young, security researcher at Tripwire, said: “Although no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code.”
 
Russ Ernst, director of product management at Lumension, said: “The second critical patch this month is MS14-036. This is a far-reaching vulnerability in Microsoft Graphics component that could allow a remote code execution. The two CVEs are not currently under known attack but the impacted software list is extensive: all versions of Windows, Office, Lync and Live Meeting. Given this extensive list of impacted applications and systems, administrators should have their test systems up to date to ensure a smooth roll-out.”
 
However Kandek said that the next priority is the Microsoft Word update, MS14-034, which addresses one vulnerability in the program’s font handling (CVE-2014-2778). “Microsoft rates it only “important” because user interaction is required – one has to open a Word file – but it allows the attacker Remote Code Execution,” he said.
 
Ernst, said: “Notably, MS14-036 and MS14-031 impact Windows Server 2003 so this is a good time to note its impending end of life in July, 2015. We are coming up on just a year out now and because any changes to your data cenre environment will likely require a significant amount planning and work, it isn’t too soon to get that plan started.”

FacebookTweetLinkedIn
Tags: ExplorerMicrosoftPatchVulnerabilityWindows
ShareTweetShare
Previous Post

What makes Tom cross?

Next Post

Target grab new CISO

Recent News

man looking sad

Security pros say their mental health has declined

May 13, 2022
@ symbol

NCSC launches free email security check

May 12, 2022
warning colours

Five Eyes urges organisations to secure supply chains

May 12, 2022
industrial lab

CNI firms see cyberattack surge

May 11, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information