Six down, six to go. Today is the Microsoft Patch Tuesday for June, and it comes with seven new security bulletins. The good news is that five of the seven are only rated as Important, but one of the two Critical security bulletins—the cumulative update for Internet Explorer—is huge.
In all, the seven security bulletins address a total of 66 specific vulnerabilities. The Cumulative Security Update for Internet Explorer (MS14-035) accounts for 59 of them—a record for a single Microsoft security bulletin.
Microsoft issued fixes for flaws in remote desktop, Lync Server, XML Core Services, Word, the TCP protocol, and the Microsoft Graphics Component that affect a range of products and services including versions of Windows and Office. The impact of a successful exploit ranges from denial of service, to information disclosure, to remote code execution, but the “star” of the show is Internet Explorer.
“Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21,” says Russ Ernst, director of product management for Lumension.
The cumulative update from Microsoft includes a fix for the vulnerability reported to ZDI. Thankfully, none of the vulnerabilities fixed by this update are actively under attack as far as we know. Even the two flaws that are already publicly disclosed are not facing any known active attacks.
That said, with 59 separate vulnerabilities in the most widely-used browser, it is an absolute certainty that malware developers will be working diligently to reverse-engineer the patches and craft exploits to target those flaws. It is absolutely imperative that you apply the patch for MS14-035 as soon as possible.
The other Critical security bulletin this month—MS14-036—addresses a couple vulnerabilities in Microsoft Graphics component that could enable remote code execution if successfully exploited. The list of affected applications is extensive, including all versions of Windows and Office.
Tyler Reguly, manager of security research for Tripwire, stresses that upgrading to more current operating systems and applications has perks from a security perspective. “MS14-034, which affects only Office 2007, is a reminder that Microsoft's Security Development Lifecycle really does work," he says. "It would be nice to see them shorten their support Windows, forcing consumers and enterprises to upgrade more frequently. This would remove older, more vulnerable software from the picture.”
Review the security bulletins from Microsoft and figure out which ones apply to you. I recommend you install all applicable updates to fix vulnerabilities before malware developers figure out how to exploit them. Start with the two Critical updates—MS14-035 and MS14-036—but then move as quickly as possible to implement the rest of the updates as well.