59 IE Flaw Fixes Included in Microsoft's June Security Update
Plus: Microsoft warns of the importance of keeping Java patched.
Today's monthly security patch from Microsoft comes equipped with an Internet Explorer cumulative update (bulletin MS14-035) that aims to take care of 59 different flaws in the Web browser.
The item, which is rated "critical," affects all supported versions of Internet Explorer and the most severe of the flaws could lead to a remote code execution (RCE) attack if gone unpatched. While there hasn't been any active attacks using any of the 59 flaws up to this point, this item should be a top patching priority for IT due to the relative ease in which attacks could start to surface, according to security experts.
"Microsoft asserts that while two of the vulnerabilities (CVE-2014-1770 & CVE-2014-1771) have been publically disclosed, none are known to be under active exploitation," said Ross Barrett, senior manager of security engineering at Rapid7, in an e-mailed statement. "That said, CVE-2014-1770 was disclosed through the Zero-Day Initiative (ZDI) and exploit code is known to exist and will likely become public in the near future. This is the top patching priority."
Along with the lengthy list of vulnerabilities fixed, Microsoft is also recommending that users update to the latest version of Internet Explorer to keep their systems more secured against Web attacks. For those running Windows 7 and 8, that means updating to the latest Internet Explorer 11, which includes both the Smart Screen filter and Enhanced Protection Mode features.
The second and final critical item of the month, bulletin MS14-036, looks to fix two privately reported issues in the Microsoft Graphics component. The flaws could lead to an RCE attack if a malicious file or Web page is opened. This item means that many Microsoft products will need to be updated, including Windows Vista, Windows 7, Windows 8, 8.1, RT and all supported versions of Windows Server, Lync and Live Meeting.
While this bulletin doesn't concern any currently active attacks, the amount of products affected means that IT may be spending more time on this one to get systems fully updated. "Given this extensive list of impacted applications and systems, administrators should have their test systems up to date to ensure a smooth roll-out," said Russ Ernst, director of product management at security firm Lumension.
Microsoft's June patch also includes the following five bulletins rated "important":
- MS14-030: This rare "tampering" fix addresses one privately reported issue in Windows 7, 8, 8.1, Windows Server 2012 and Windows Server 2012 R2. According to Microsoft, this "vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session."
- MS14-031: Fixes a denial of service vulnerability in the TCP protocol for all supported versions of Windows and Windows Server.
- MS14-032: This bulletin fixes one reported issue in Microsoft Lync Server that could lead to an information disclosure if a specially crafted malicious meeting URL was clicked.
- MS14-033: Addresses a privately reported flaw in the Microsoft XML Core Services (MSXML) that could lead to an information disclosure action if a harmful Web URL was clicked on in Internet Explorer.
- MS14-034: The final item fixes a flaw that could lead to an RCE attack in Microsoft Office 2007 if a malicious file were opened in Microsoft Word.
Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.
Keep Java Patched
Along with today's patch, Microsoft has released a security blog discussing the importance of keeping systems running Java up to date. According to Tim Rains, director with Microsoft's Trustworthy Computing group, attackers target Java flaws aggressively and keeping the Oracle item patched is one of the most effective ways to protect against outside attacks, especially with the proliferation of exploit kits used by attackers.
"Besides ease of use, the key feature to the success of these kits is that exploit kit makers continually update the set of exploits included in their kits: adding new exploits as they are discovered and discarding old exploits that are no longer effective or are considered too likely to be detected by security software," wrote Rains.
According to Microsoft, Java Runtime Environment (JRE) exploits originating from one of these attack kits accounted for 84.6 percent to 98.5 percent of all attacks detected by Microsoft's antimalware software in 2013. To have the best chance of protecting environments from these attacks, Microsoft suggests the following:
- Deploy the latest versions of applications, including the latest OS Web browser and Office offerings, which will have the most up-to-date security features.
- Use Microsoft's free Enhanced Mitigation Experience Toolkit (EMET), which will protect against commonly used attack techniques.
- Apply security updates as soon as possible due to the increased risk of active exploitation that occurs after an update is released.
- Make sure every system is running the latest version of Oracle's JRE.