Security Advisor

'Critical' IE Fix Highlights Microsoft's May Patch

This month's security update also includes "critical" bulletins for Windows, Office and .NET Framework.

Microsoft may be killing off its monthly Patch Tuesday in favor of non-scheduled security update rings, but the death blow has yet to come. The company released today its May security update, packed with three bulletins rated "critical" and 10 "important."

IT looking to prioritize this month's offerings should first focus on bulletin MS15-043, a cumulative security update for Internet Explorer. All supported versions of the Web browser are affected and, if gone unpatched, the most severe issue could lead to a remote-code-execution (RCE) attack.

While details are usually scarce unless enrolled in Microsoft's bulletin notification program, the company this month has broken out how it is modifying IE:

The security update addresses the vulnerabilities by:

  • Modifying how Internet Explorer handles objects in memory
  • Helping to ensure that affected versions of JScript and VBScript and Internet Explorer properly implement the ASLR security feature
  • Adding additional permission validations to Internet Explorer
  • Helping to prevent information stored in a user's clipboard from being accessed by a malicious site

While none of the undisclosed number of issues are currently being exploited in the wild, it's always important to apply updates related to Web-based apps as soon as possible, according to Qualys CTO Wolfgang Kandek.

"Attackers have at their disposal a number of exploits for a diverse set of vulnerabilities to adapt to the target's machine," said Kandek in an e-mailed statement. "It is safe to say that their favorite attack vectors include Internet Explorer, native Windows vulnerabilities and Adobe Flash, which all receive monthly updates publishing upwards of 20 CVEs per month. You should be prepared to install these updates as quickly as possible."

Next item is a fix for an unknown number of issues in Windows Journal --Microsoft's note-taking application that reads and writes JNT format files. Affecting all supported versions of Windows Server and Windows OS (including the available Windows 10 previews), the fix looks to block an attacker from instigating an RCE attack through the use of a malicious Journal file.

Along with applying the update, Microsoft recommends that JNT files received from unknown sources should not be opened. Also, if Windows Journal is not used, the .jnt file type association can be blocked.

The final critical item (MS15-044) for May is a widespread font driver error that could lead to an RCE attack if a harmful TrueType font is embedded in a document or Web site. T he fix covers all supported versions of Windows OS, Windows Server, Microsoft Office, Microsoft Lync, .NET Framework, and Microsoft Silverlight. Plan to spend more time testing this update before applying due to its large reach.

The remaining security update addresses less serious problems in Windows OS, Windows Server, .NET Framework and Microsoft Silverlight. Many of the updates will require a restart before being fully applied. More information on May's patch can be found on Microsoft's Security Bulletin Summary page.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube