The Inquirer-Home

Microsoft rolls out critical fixes for Windows and IE in July Patch Tuesday

Fixes 24 CVEs that could be used for remote code execution attacks in Windows and IE
Wed Jul 09 2014, 13:57
TechEd 2014 Microsoft logo

MICROSOFT HAS RELEASED six patches in its monthly Patch Tuesday release next week, two of which are listed as Critical fixes for vulnerabilities in its Windows operating system (OS) and Internet Explorer.

Revealed in an threat advisory, the patches will fix vulnerabilities that Microsoft said could be used by hackers to mount remote code execution attacks.

The update will also include three important Windows updates, and a single moderate fix for a flaw in Windows Server.

"One of the critical issues is the MS14-037 IE fix. This patch is a cumulative roll up, meaning it encompasses previous patches and will supersede them," said security firm Rapid 7's senior manager of security engineering, Ross Barrett.

There are 24 CVEs in this patch, 23 are privately disclosed or internally discovered Remote Code Execution (RCE) issues.

"The 24th (CVE-2014-2783) is a publically disclosed security feature bypass in which IE does not properly validate a certificate chain where wildcard values appear in the certificate," added Barrett. "This would allow an attacker to potentially compromise certificate validation with a specifically crafted attack."

Although two of the patches are rated critical, security experts seem to think that none of the vulnerabilities are too worrying and are part of what appears to be a fairly minor Patch Tuesday.

Security firm Trustwave's threat intelligence manager Karl Sigler said July's Patch Tuesday "seems to be a light release", adding, "These bulletins will affect Internet Explorer, Microsoft Server software and Microsoft Windows. A restart will be necessary to install the updates. This security update should require minimal effort to install and should be quicker to update than normal."

Security experts state that despite being listed as a moderate update, users should still install the Windows Server update as soon as possible.

The advanced advisory follows one of Microsoft's biggest Patch Tuesdays on record. In June, the firm issued a long list of security bulletins across its software line, a record-breaking 59 of which patched the firm's web browser, Internet Explorer (IE).

The release comprised two updates tagged with Microsoft's highest security rating of critical, MS14-035 and MS14-036, and five rated important. The patches fixed 66 vulnerabilities overall, including resolutions for flaws that apply to IE, Microsoft Windows, Microsoft Office and Microsoft Lync. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015