SOFTWARE BUG FACTORY Microsoft has issued a long list of security bulletins across its software line in its Patch Tuesday release for June, a record-breaking 59 of which patch the firm's web browser, Internet Explorer (IE).
The release comprises of two updates tagged with Microsoft's highest security rating of Critical, MS14-035 and MS14-036 and five rated important. The patches fix 66 vulnerabilities overall, including resolutions for flaws that apply to IE, Microsoft Windows, Microsoft Office and Microsoft Lync.
The company said that the most severe bugs patched by MS14-035 allows remote-code execution following a waterhole attack, where a user visits a malicious website designed to target a specific group of people.
"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user," Microsoft said, adding that with administrative rights are worst affected.
It's worth noting that this patch is Microsoft's fix for the IE 8 zero-day bug that was overlooked by the Redmond firm when it was found by the Zero-Day Initiative (ZDI) seven months ago.
Earlier in May, ZDI issued a report saying that the IE 8 critical zero-day flaw, originally named CVE-2014-1770, had gone unfixed since last October, when it was brought to attention by Peter "corelanc0d3r" Van Eeckhoutte. When we asked Microsoft for a comment at the time, a spokesperson said the Redmond firm knew about the flaw but had "not detected" incidents affecting its customers.
The ZDI is an initiative that rewards security researchers for disclosing vulnerabilities. The bug was not previously reported because ZDI's policy is to disclose zero-day flaws that go unfixed for more than 180 days.
The vulnerability meant that in a web-based attack scenario, an attacker could host a specially-crafted website designed to exploit the vulnerability through IE, and then lure users to view it.
In its June Patch Tuesday, Microsoft also warned that the most severe vulnerability is critical for IE 7 to IE 11 running on Windows desktop computers and important for IE 6 to IE 11 running on Windows Server.
"The high priority item this month is Microsoft's Internet Explorer (IE) Bulletin MS14-035. This issue is not under attack, but it was disclosed two and a half weeks ago by vulnerability broker ZDI," said security firm Qualys CTO Wolfgang Kandek. "The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction."
"Given the volume of work that we do through web browsers, apply this update first," he advised.
The other critical update is MS14-036, which is a new version of the library GDI+. GDI+ parses graphics formats. Graphics parsing requires complex logic and has frequently been associated with attack vectors.
"It affects Windows, Office and the Lync IM client because they all bring their own copy. There are no known exploits at this time, as opposed to the last update to GDI+ (MS13-096), which addressed a zero-day," added Kandek. "You should apply this update as quickly as possible."
Another important security bulletin issued by Microsoft is a Microsoft Word update, named MS14-034, which addresses one vulnerability in the program's font handling (CVE-2014-2778).
Microsoft rates it only important because user interaction is required - one has to open a Microsoft Word file - but it allows the attacker remote code execution. µ
Sign up for INQbot – a weekly roundup of the best from the INQ