Security Advisor

Microsoft's Light March Patch Includes Critical IE Fix

This month marks the third relatively light patch rollout for Microsoft in a row for 2014.

Microsoft released its monthly security update today, which features only two "critical" and three "important" security bulletins.

The five items address 23 different vulnerabilities in Microsoft's products, with  a majority 18 of the 23 addressed in a cumulative update for Internet Explorer. The IE fix (bulletin MS14-012) affects all currently supported versions of Microsoft's Web browser and is rated critical for all supported Windows OSes and rated "moderate" for supported Windows Server versions.

While the number of IE vulnerabilities is high, only two of the 18 have been used in active attacks -- the first being a zero-day attack that was first discovered by security firm FireEye early last month. Even though Microsoft released a "fix it" for this shortly after being notified of the vulnerability, today's bulletin provides a permanent solution.

As for the second active vulnerability, Microsoft said the attacks are extremely limited due to most Windows users being immune. "This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8," wrote Microsoft's Dustin Childs in a blog post. "Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above."

Due to the active nature of the vulnerability, bulletin MS14-012 should be the top patch priority for IT this month.

The second critical item, bulletin MS14-013, looks to fix a remote code execution (RCE) flaw in all supported versions of Windows. The issue occurs in Microsoft DirectShow -- the company's media-streaming architecture that allows playback of audio and video. An attack can occur if a malicious image file is opened, allowing the attacker to gain remote access to the targeted system.

It's important to note that this will be one of Windows XP's last official security updates from Microsoft and that the last chance for any security fixes will come in next month's April 8 security update.

Important Items
Microsoft's March important bulletins include:

  • MS14-014: Addresses a privately reported flaw in Microsoft Silverlight that could provide attackers with a way to bypass the address space layout randomization (ASLR) security feature in Windows.
  • MS14-015: This bulletin addresses two vulnerabilities in Windows kernel-mode driver that could allow an elevation of privilege if a specially crafted application is installed on a system.
  • MS14-016: The final item this month fixes a vulnerability in Windows' Security Account Manager Remote (SAMR) protocol that could allow a security bypass if multiple password attempts are done on a system.

For those keeping score, Microsoft has started 2014 with three light monthly patches in a row. To date, only 16 have been issued -- 11 fewer bulletins than Microsoft issued in the first three months of 2013.

Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.