Patch Tuesday fixes critical Internet Explorer vulnerabilities

Last minute Internet Explorer fixes have been ushered in on this month’s Patch Tuesday, one of which saves the browser from a publicly known vulnerability.

"As if making up for lost time, Internet Explorer has returned to the mix with a bang," said Ziv Mador from security firm Trustwave.

"This month’s cumulative update covers 24 individual CVEs, twenty-two of which are rated "Critical" and, although three of the bulletins (MS14-005, MS14-007, MS14-011) don’t directly affect Internet Explorer, the web browser is used as a primary attack vector in those cases."

Last week, Microsoft originally stated that it would be issuing five bulletins in February, but two extra bulletins were added this week.

Overall, February’s Patch Tuesday addresses 31 vulnerabilities, with four of the bulletins being earmarked as ‘critical’.

Mador commented on one of the critical bulletins that pledges changes to Microsoft Forefront Protection for Exchange 2010.

"MS14-008 is also an interesting "Critical" bulletin. It describes a vulnerability in the malware and spam scanner Microsoft Forefront Protection for Exchange 2010. The vulnerability allows for an attacker to create a malicious email that will cause the scanner to execute arbitrary code. It’s an odd case where the security controls that are put in place to protect us are used against us."

Other bulletins include MS14-005, marked as ‘important’, which resolves the publicly disclosed in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer.

"By exploiting this vulnerability, an attacker could read files on the user’s local file system or read content of web domains where the user is currently authenticated."

MS14-006 fixes a vulnerability that could lead to denial of service if an attacker sends a large number of specially crafted IPv6 packets to an affected system. To exploit the vulnerability, an attacker’s system must belong to the same subnet as the target system.

This security update is rated "Important" for all supported editions of Windows 8, Windows RT, and Windows Server 2012.

MS14-007, set at ‘critical’, changes a vulnerability in Direct2D that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

Find the full explanations to this month’s Patch Tuesday here.