Security Advisor

'Critical' IE Fix Highlights Microsoft's May Patch

This month's security update also includes "critical" bulletins for Windows, Office and .NET Framework.

Microsoft may be killing off its monthly Patch Tuesday in favor of non-scheduled security update rings, but the death blow has yet to come. The company released today its May security update, packed with three bulletins rated "critical" and 10 "important."

IT looking to prioritize this month's offerings should first focus on bulletin MS15-043, a cumulative security update for Internet Explorer. All supported versions of the Web browser are affected and, if gone unpatched, the most severe issue could lead to a remote-code-execution (RCE) attack.

While details are usually scarce unless enrolled in Microsoft's bulletin notification program, the company this month has broken out how it is modifying IE:

The security update addresses the vulnerabilities by:

  • Modifying how Internet Explorer handles objects in memory
  • Helping to ensure that affected versions of JScript and VBScript and Internet Explorer properly implement the ASLR security feature
  • Adding additional permission validations to Internet Explorer
  • Helping to prevent information stored in a user's clipboard from being accessed by a malicious site

While none of the undisclosed number of issues are currently being exploited in the wild, it's always important to apply updates related to Web-based apps as soon as possible, according to Qualys CTO Wolfgang Kandek.

"Attackers have at their disposal a number of exploits for a diverse set of vulnerabilities to adapt to the target's machine," said Kandek in an e-mailed statement. "It is safe to say that their favorite attack vectors include Internet Explorer, native Windows vulnerabilities and Adobe Flash, which all receive monthly updates publishing upwards of 20 CVEs per month. You should be prepared to install these updates as quickly as possible."

Next item is a fix for an unknown number of issues in Windows Journal --Microsoft's note-taking application that reads and writes JNT format files. Affecting all supported versions of Windows Server and Windows OS (including the available Windows 10 previews), the fix looks to block an attacker from instigating an RCE attack through the use of a malicious Journal file.

Along with applying the update, Microsoft recommends that JNT files received from unknown sources should not be opened. Also, if Windows Journal is not used, the .jnt file type association can be blocked.

The final critical item (MS15-044) for May is a widespread font driver error that could lead to an RCE attack if a harmful TrueType font is embedded in a document or Web site. T he fix covers all supported versions of Windows OS, Windows Server, Microsoft Office, Microsoft Lync, .NET Framework, and Microsoft Silverlight. Plan to spend more time testing this update before applying due to its large reach.

The remaining security update addresses less serious problems in Windows OS, Windows Server, .NET Framework and Microsoft Silverlight. Many of the updates will require a restart before being fully applied. More information on May's patch can be found on Microsoft's Security Bulletin Summary page.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.