Microsoft Patch Tuesday targets Internet Explorer drive-by attacks

Internet Explorer vulnerabilities warrant notice in this month's set of Microsoft Patch Tuesday bulletins and need to be fixed quickly even though the sheer number of patches may seem daunting.

The weaknesses leave users open to drive-by attacks where malicious code is downloaded without the user's knowledge while browsing. Not patching them because they are time-consuming will just widen the window of opportunity hackers have to exploit them, says Alex Horan, a senior product manager at CORE Security.

[ INNOVATION: 6 of the very coolest new Microsoft lab projects

MORE: 12 essential Windows 8 keyboard shortcuts

QUIZ: Microsoft CEO Steve Ballmer said what? ]

"Preventing future drive-by style attacks and protecting end-users appear to be the theme of this month's Patch Tuesday," Horan says. "These patches can be a hassle for users to deploy and have the potential to create a long enough delay where hackers can take advantage."

So far the weaknesses haven't been exploited. "Fortunately, this issue has no known attacks in the wild," says Paul Henry, a security and forensic analyst at Lumension. "However, you should still plan to patch this immediately. "

Four of seven bulletins for March are rated critical, with the first addressing browser problems. "It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT," says Qualys CTO Wolfgang Kandek.

Microsoft's Silverlight media application framework is also critically vulnerable, according to the company's Security Bulletin Advance Notification. It affects Silverlight whether deployed on Windows or Mac OS X operating systems, where it is used to run media applications such as Netflix, Kandek says.

This vulnerability is more of concern to consumers because it only affects the Silverlight plug-in. Henry says plug-ins should be avoided in general. "[T]hey add another threat vector and are frequently an easy target for the bad guys," he says.

Also in critical need of patching is Microsoft's drawing application Visio, which comes as a surprise to Kandek. "It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the 'critical' rating," he says.

Critical vulnerabilities are those that could allow code execution without user interaction if they are successfully exploited. This type of exploit includes network worms, browsing to infected Web pages or opening infected emails.

The final critical vulnerability lies in SharePoint Server, Microsoft says.

Three of the bulletins are rated important and include two that could allow data to leak and one that could allow attackers to elevate privileges on an exploited machine. Important bulletins include vulnerabilities that could lead to compromised confidentiality, integrity or availability of user data, or of the integrity or availability of processing resources, Microsoft says. Such exploits may include warnings or prompts.

Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter @Tim_Greene.

Read more about software in Network World's Software section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SharepointMicrosoftsecurityPatch Tuesday Internet ExplorerWindowssoftwareVisioMicrosoft Patch Tuesdayoperating systems

More about LumensionMicrosoftNetflixQualysVisio

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts