Microsoft released six patches last night to cover 29 vulnerabilities in Microsoft Windows and Internet Explorer.
With two rated as critical, three rated as important and one rated as moderate in severity, Tyler Reguly, manager of security research at Tripwire, recommended TT teams to focus on the two critical issues affecting Internet Explorer and Windows Journal first.
“If you cannot apply updates immediately, there are workarounds for both of these critical flaws,” he said. “Users can switch to a new browser, making sure to set the new browser as the default, and disable any Windows Journal .JNT file associations. While a patch is always preferred, limiting the attack surface is a good backup.”
Craig Young, security researcher at Tripwire, said: “The critical vulnerability described in MS14-038 is a great example of how unused software can be abused by attackers. In this case Windows Journal, which is installed by default but isn’t commonly used, can lead to arbitrary code execution.”
Wolfgang Kandek, CTO of Qualys, said: “This first made its appearance in Windows XP Tablet Edition, so this is a vulnerability that really does not apply to a normal Windows XP system. However after XP, it has been included by default in all subsequent Windows versions: Vista, 7 and 8 and can be attacked through a specially formatted input file.
“The attack vector can be through web-browsing, email or IM or any other means that can be used to send you a .JNT file. Given its obscurity and the potential for more file format problems it is probably a reasonable measure to disable the file extension .JNT.”
Kandek highlighted the biggest update of the month to be the highest priority. “MS14-037 addresses 24 vulnerabilities in Internet Explorer (IE), almost all user-after-free type vulnerabilities and is valid for all versions (6-11) of Microsoft’s browser. There are no zero-days open for IE, which would dictate the shortest turn-around possible for
the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation,” he said.
Kandek also recommended users look at this month’s Adobe Flash fix as their second highest priority, unless they are running IE10, IE11 or Google Chrome. “They embed Adobe Flash and update it automatically, so in that case you and your users do not have to do that. Everybody else, Internet Explorer 9 and lower, Firefox and Mac OS X users should update their Flash installation manually.”