Microsoft Subnet An independent Microsoft community View more

7 on Patch Tuesday: Microsoft adds 2 critical security updates for IE, Windows

Today is Patch Tuesday, Safer Internet Day, and The Day We Fight Back against NSA mass surveillance.

Microsoft added two security bulletins yesterday, bringing the total to seven, with four critical updates and three updates rated important.

Before we jump to the suggested deployment priorities and more about today's patches, because today is Safer Internet Day, Microsoft also launched an interactive Safer Online website. The company is asking people to "Do 1 Thing" to help make the Internet a safer place. Today's Microsoft Security Response Center post suggested your one thing, other than applying security updates, should be to install the latest version of EMET (The Enhanced Mitigation Experience Toolkit).

The idea behind "Do 1 Thing" is great, but if you choose to do only one thing to make the net safer for all netizens today, might I recommend fighting back against NSA mass surveillance since today is also The Day We Fight Back! You may have seen the banners on any of the thousands of websites urging you to call or email your lawmakers today.

OK, back to your regularly scheduled Patch Tuesday news: MSRC recommended deploying MS14-007, MS14-010 and MS14-011 first. All three of those, plus MS14-008, are rated critical due to remote code execution (RCE) vulnerabilities.  

The critically rated MS14-007 affects Windows 7 through Windows 8.1, including RT and 8.1 RT, as well as Windows Server 2008 R2, Windows Server 2012 and 2012 R2. While the RCE vulnerability in Microsoft Windows Direct2D has an exploitability index of 1, an attacker would have no way to force users to visit maliciously crafted content.

MS14-010 is a whopper, closing one public and 23 privately disclosed holes in Internet Explorer. "An attacker who successfully exploited the most severe of these issues could execute code at the level of the logged on user."

MS14-011, also critical, will patch a vulnerability in Windows VBScript scripting engine. Although it affects several versions of Windows and IE, if you are still using the soon-to-be-retired Windows XP, then get the security patch while the getting is good.

MS14-008 is rated critical for all supported builds of Microsoft Forefront Protection for Exchange 2010.

Ross Barrett, senior manager of security engineering at Rapid7, said, "Given a remote code execution in a perimeter service like Forefront, I'd be inclined to say that this would be the highest-priority patching issue this month. However, there is apparently no known exploitation of this in the wild, no known exploit vector, and this was found internally by Microsoft in a code analysis. So I'm going to call the IE 24 CVE rollup, MS14-010, the highest priority for patching. The second priority is, not surprisingly, the critical in Windows 7 and later issue (MS14-007), the third is the OS variant of the one CVE in that also affects IE, MS14-011."

MS14-009 is rated as important, but the elevation of privilege vulnerability has an exploitability index of 1. The patch "resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework."

Rated important, MS14-005 addresses a "publicly disclosed vulnerability in Microsoft XML Core Services included in Microsoft Windows."

Last to be deployed, according to MSRC, is MS14-006. Rated important, it affects "all supported editions of Windows 8, Windows RT, and Windows Server 2012." It closes a vulnerability in IPv6 that could allow a denial-of-service attack if the attacker's system is on the subnet as the target system.

Microsoft Trustworthy Computing group manager Dustin Childs said, "The revision to advisory 2862973 might be easy to overlook, but it's an important change. Certificates with MD5 hashes should no longer be considered safe. We've given our customers six months to prepare their environments, and now this update is available through automatic updates." Childs added, "We originally released this update last August to allow for testing, as the update will impact applications and services using certificates with the MD5 hashing algorithm. If you have already applied the update, you won't need to take any additional action. If you haven't applied this update yet, you can do so through automatic updates."

Microsoft's decision to add two security bulletins at the last minute is sort of a big deal. "In eight years of dissecting these announcements, I don't recall them ever adding to the advance notification between its release and the Tuesday of the patches," stated Rapid7's Barrett. He added:

"I talked this over with some folks in the know, and the message is that something (in the IE patch) came in just under the wire, in terms of testing completeness on Microsoft's side. Due to the criticality of it, they bent their schedule in favor of customer security to get the patch out sooner. The added OS patch is a variant of one of the IE patches, and shares a CVE. Reaction to this could fall into one of two camps, either fear that something is being rushed out the door, or relief that we don't have to wait another month for an IE roll-up, which is a really long time on the internet."

Happy patching! It would be great if you could do a couple things today to make the Internet safer. Again, at the very least, I urge you to fight back against NSA mass surveillance.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.