Security Advisor

Microsoft's Light March Patch Includes Critical IE Fix

This month marks the third relatively light patch rollout for Microsoft in a row for 2014.

Microsoft released its monthly security update today, which features only two "critical" and three "important" security bulletins.

The five items address 23 different vulnerabilities in Microsoft's products, with  a majority 18 of the 23 addressed in a cumulative update for Internet Explorer. The IE fix (bulletin MS14-012) affects all currently supported versions of Microsoft's Web browser and is rated critical for all supported Windows OSes and rated "moderate" for supported Windows Server versions.

While the number of IE vulnerabilities is high, only two of the 18 have been used in active attacks -- the first being a zero-day attack that was first discovered by security firm FireEye early last month. Even though Microsoft released a "fix it" for this shortly after being notified of the vulnerability, today's bulletin provides a permanent solution.

As for the second active vulnerability, Microsoft said the attacks are extremely limited due to most Windows users being immune. "This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8," wrote Microsoft's Dustin Childs in a blog post. "Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above."

Due to the active nature of the vulnerability, bulletin MS14-012 should be the top patch priority for IT this month.

The second critical item, bulletin MS14-013, looks to fix a remote code execution (RCE) flaw in all supported versions of Windows. The issue occurs in Microsoft DirectShow -- the company's media-streaming architecture that allows playback of audio and video. An attack can occur if a malicious image file is opened, allowing the attacker to gain remote access to the targeted system.

It's important to note that this will be one of Windows XP's last official security updates from Microsoft and that the last chance for any security fixes will come in next month's April 8 security update.

Important Items
Microsoft's March important bulletins include:

  • MS14-014: Addresses a privately reported flaw in Microsoft Silverlight that could provide attackers with a way to bypass the address space layout randomization (ASLR) security feature in Windows.
  • MS14-015: This bulletin addresses two vulnerabilities in Windows kernel-mode driver that could allow an elevation of privilege if a specially crafted application is installed on a system.
  • MS14-016: The final item this month fixes a vulnerability in Windows' Security Account Manager Remote (SAMR) protocol that could allow a security bypass if multiple password attempts are done on a system.

For those keeping score, Microsoft has started 2014 with three light monthly patches in a row. To date, only 16 have been issued -- 11 fewer bulletins than Microsoft issued in the first three months of 2013.

Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

  • How To Block Self-Service Purchasing in Microsoft's Power Platform

    Microsoft threw Office 365 admins a bone when it gave them the ability to block users from purchasing Power Platform tools without IT approval. Here's how to prevent total anarchy.

  • Azure DevOps Services Losing Support for Alternate Credentials

    Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

  • Microsoft Endpoint Configuration Manager Update 1910 Released

    Microsoft announced last week that it is starting to deliver Update 1910 for Microsoft Endpoint Configuration Manager users.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.