Microsoft's Light March Patch Includes Critical IE Fix
This month marks the third relatively light patch rollout for Microsoft in a row for 2014.
Microsoft released its monthly security update today, which features only two "critical" and three "important" security bulletins.
The five items address 23 different vulnerabilities in Microsoft's products, with a majority 18 of the 23 addressed in a cumulative update for Internet Explorer. The IE fix (bulletin MS14-012) affects all currently supported versions of Microsoft's Web browser and is rated critical for all supported Windows OSes and rated "moderate" for supported Windows Server versions.
While the number of IE vulnerabilities is high, only two of the 18 have been used in active attacks -- the first being a zero-day attack that was first discovered by security firm FireEye early last month. Even though Microsoft released a "fix it" for this shortly after being notified of the vulnerability, today's bulletin provides a permanent solution.
As for the second active vulnerability, Microsoft said the attacks are extremely limited due to most Windows users being immune. "This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8," wrote Microsoft's Dustin Childs in a blog post. "Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above."
Due to the active nature of the vulnerability, bulletin MS14-012 should be the top patch priority for IT this month.
The second critical item, bulletin MS14-013, looks to fix a remote code execution (RCE) flaw in all supported versions of Windows. The issue occurs in Microsoft DirectShow -- the company's media-streaming architecture that allows playback of audio and video. An attack can occur if a malicious image file is opened, allowing the attacker to gain remote access to the targeted system.
It's important to note that this will be one of Windows XP's last official security updates from Microsoft and that the last chance for any security fixes will come in next month's April 8 security update.
Microsoft's March important bulletins include:
- MS14-014: Addresses a privately reported flaw in Microsoft Silverlight that could provide attackers with a way to bypass the address space layout randomization (ASLR) security feature in Windows.
- MS14-015: This bulletin addresses two vulnerabilities in Windows kernel-mode driver that could allow an elevation of privilege if a specially crafted application is installed on a system.
- MS14-016: The final item this month fixes a vulnerability in Windows' Security Account Manager Remote (SAMR) protocol that could allow a security bypass if multiple password attempts are done on a system.
For those keeping score, Microsoft has started 2014 with three light monthly patches in a row. To date, only 16 have been issued -- 11 fewer bulletins than Microsoft issued in the first three months of 2013.
Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.