Security Advisor
Microsoft Addresses 41 IE Flaws in February Patch
This Month's security update also includes two additional "critical" remote code execution fixes for Windows.
Microsoft released February's security update today that includes three bulletins rated "critical" and six rated "important," to bring the total issues fixed to 56.
The vast majority of those problems (41 of them) can be found in bulletin MS15-009, a general security update for Microsoft's Internet Explorer and the top patching priority for IT. The most severe of the holes could lead to a remote code execution (RCE) attack if a malicious Web page was visited in the browser. There's no escaping this bulletin -- all supported versions of the browser running on all supported Windows Server and Windows OS versions are affected.
Along with this bulletin item, Microsoft has also pushed through an Internet Explorer update that blocks insecure fallback to SSL 3.0 in IE 11. The company in December said that this change was coming and last month said the same security protection will be coming to Azure Storage. According to Microsoft, this is the first step in protecting the browser from man-in-the-middle attacks in the form of a Padding Oracle on Downgraded Legacy Encryption (POODLE) flaw. April's security patch will include an update that will disable SSL 3.0 by default in IE 11.
The second critical item of the month (bulletin MS15-010), looks to fix six Windows OS and Windows Server issues in the kernel-mode driver that could lead to an RCE attack through the use of malicious embedded TrueType fonts. This bulletin includes a fix for the issue publicly disclosed by Google last month.
Bulletin MS15-011 rounds out this month's critical items and, again, looks to address an RCE flaw in Windows. Due to the nature in which an attack could exploit this flaw, coupled with compatibility issues that could arise with a fix, Windows Server 2003 will not be receiving an update for this, according to Qualys CTO Wolfgang Kandek.
"The attacker has to trick a user to connect their client machine to the attacker's malicious domain, which places the attack squarely into the enterprise realm, with the attacker controlling the domain controller or able to pose as domain controller," said Kandek in an e-mailed statement. "Interestingly enough Microsoft is not addressing the vulnerability in Windows Server 2003, but states that the fix would be too invasive to guarantee 2003 continued functioning. One more reason to get off the Server 2003 platform as soon as possible, in addition to the coming end-of-life of the platform in July of this year."
Important Updates
Microsoft's February patch also includes six additional important items:
- MS15-012: Repairs three holes in Microsoft Office that could lead to an RCE attack if a malicious Office document was opened.
- MS15-013: Takes care of another Office issue, this time a security feature bypass. If used in conjunction with another vulnerability, harmful code could be executed on a targeted machine.
- MS15-014: Addresses a Windows Group Policy security feature bypass flaw that could lead to the Group Policy Security Configuration Engine policy to be corrupted.
- MS15-015: This elevation-of-privilege vulnerability fix affects Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 R2 and could lead to an attacker gaining admin credentials if gone unpatched.
- MS15-016: Fixes an information disclosure in Windows that could be exploited through the use of a harmful TIFF image.
- MS15-017: The final item of the month looks to correct a flaw in the Virtual Machine Manager (VMM) that could lead to an elevation of privilege.
Many of these bulletins will require a restart before being fully implemented.