Microsoft released nine security patches today, but “Patch Tuesday” is apparently too quaint of a phrase and will be no more, according to Microsoft’s Brandon LeBlanc. It’s still on the second Tuesday of each month, but it’s been renamed “Update Tuesday” so Microsoft can deliver security patches along with new OS features.
"Rather than waiting for months and bundling together a bunch of improvements into a larger update as we did for the Windows 8.1 Update, customers can expect that we'll use our already existing monthly update process to deliver more frequent improvements along with the security updates normally provided as part of 'Update Tuesday’.” Oh, and you can also forget about Windows 8.1 Update 2 as LeBlanc said it’s not being released.
Patches rated Critical
MS14-051 should be top on your list for deployment, as it is rated critical for all currently supported versions of Internet Explorer. The patch resolves one publicly disclosed and 25 privately reported vulnerabilities in IE. The most severe vulnerability could allow remote code execution (RCE) if an attacker were to get a user to visit a maliciously crafted site.
MS14-043 is another RCE vulnerability fix, but for Windows Media Center this time. “The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that invokes Windows Media Center resources.”
Patches rated Important
Although rated as “important,” Microsoft advised this RCE bug fix to also be a top priority for deployment. MS14-048 fixes a privately report flaw in Microsoft OneNote.
Deployment priority two starts with MS14-045, which patches three privately report bugs, including an elevation of privilege (EoP) vulnerability, in Microsoft Windows kernel-mode drivers.
MS14-046 patches one privately reported vulnerability in Microsoft .NET Framework. “The vulnerability could allow security feature bypass if a user visits a specially crafted website. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities.”
MS14-047 is another fix for a security feature bypass flaw in Windows. “The vulnerability could allow security feature bypass if an attacker uses the vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that takes advantage of the ASLR bypass to run arbitrary code.”
Microsoft suggested deploying the next three patches last.
MS14-044 close two holes in Microsoft SQL Server. The more severe vulnerability in SQL Server Master Data Services could allow an attacker to elevate privileges “if a user visits a specially crafter website that injects a client-side script into the user’s instance of IE."
MS14-049 patches another EoP vulnerability, but in Windows Installer Service this time. “The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.”
If you still use Internet Explorer 8, that should change after January 12, 2016, as Microsoft said, “Only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.” Beginning January 12, 2016, here's what Microsoft will support: Windows Vista SP2 and IE 9; Windows Server 2008 SP2 and IE 9; Windows 7 SP1 and IE 11; Windows Server 2008 R2 SP1 and IE 11; Windows 8.1 and IE 11; Windows Server 2012 and IE 10; and Windows Server 2012 R2 and IE 11.
Lastly, in order to deliver a more secure browser, the IE Blog said, “Starting September 9th, Internet Explorer will block out-of-date ActiveX controls.”
That's it for now. Happy patching!