Security Advisor

2 Last-Minute 'Critical' XP Fixes Join Microsoft's February Patch

Microsoft's monthly patch includes four 'critical' and three 'important' fixes that address a total of 32 vulnerabilities.

Microsoft released its monthly security patch today with two additional items that were added just hours ago.

Microsoft announced yesterday that two additional 'critical' security patches would be joining the two critical patches it had said would be in February's patch rollout in last week's advance notification. This brings the month's total to four critical and three 'important' security bulletins. The two items both address vulnerabilities in Internet Explorer and the VBScript scripting engine and are critical fixes for those running Windows XP (among other Microsoft OS versions). Note, after today's release, Microsoft only has two more patch cycles to include any fixes for Windows XP before support ends in April.

The first new addition, bulletin MS14-010, is a cumulative security update for Internet Explorer that addresses 24 separate vulnerabilities in the Web browser. According to security experts, due to the relative ease of exploitation associated with Web browser vulnerabilities, this item should be the top priority for IT today.

"An attacker who successfully exploited the most severe of these [Internet Explorer] issues could execute code at the level of the logged on user," said Microsoft's Dustin Childs in a blog post. "Customers who deploy this update will be protected from that scenario."

After that bulletin has been applied, the next priority should be the second late addition -- bulletin MS14-011. According to Microsoft, this item addresses one privately reported flaw in the VBScript scripting engine in Windows and is rated critical for Windows XP, Vista, and Windows 7 and 8 machines running Internet Explorer 8, 9 and 10.

If gone unpatched, the vulnerability could lead to a remote code execution (RCE) attack if a malicious link embedded in an e-mail or instant message was clicked.

Bulletin MS14-007, the third critical fix for the month, addresses a single Direct2D flaw that could lead to an RCE attack if a harmful link was clicked on in Internet Explorer. The fix should be applied to those running Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 and Windows RT.

The final critical item of the month, bulletin MS14-008, looks to address one issue in Microsoft Forefront for Exchange 2010's product line. While those that are still using the older version should apply the update to avoid the risk of an RCE attack, a smart move would be to upgrade to a newer version in the near feature, according to Russ Ernst, director product management at security firm Lumension.

"This [bulletin] is an example of Microsoft honoring their commitment to fixing any security gaps in this application, but this should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application," said Ernst in an e-mailed statement. "Administrators that currently use Forefront Protection for Exchange have until December 2015 to get this done."   

Important Items
Microsoft's February "important" bulletins include:

  • MS14-005: Addresses a single flaw in Microsoft XML Core Services  that could lead to unauthorized information disclosure if gone unpatched.
  • MS14-006: This bulletin blocks a flaw in Windows 8, RT and Windows Server 2012 that could be exploited  through a malicious IPv6 data packet.
  • MS14-009: The final item this month aims to fix two .NET Framework flaws that could lead to an attacker gaining elevation of privilege if a malicious Web site was visited by a target.

Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.


About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube