Microsoft addresses critical IE vulnerabilities for Patch Tuesday

For this month's Patch Tuesday, Microsoft covers 24 vulnerabilities found in Internet Explorer

Administrators hoping to slack off a bit for this month's Microsoft Patch Tuesday will have no opportunity to do so. At the last minute, Microsoft added a slew of Internet Explorer (IE) fixes to its monthly release of software patches, including one patch that fixes a publicly known vulnerability.

"If there were some people who were counting on a quiet Patch Tuesday, it turned out not to be the case," said Wolfgang Kandek, chief technology officer of IT security firm Qualys. "We have to do quite a bit more work to get everything tested and in place."

Originally, Microsoft announced last week that it would issue five bulletins this month, though, on Monday, it added two additional critical bulletins, covering IE and Windows.

Microsoft did not provide an explanation for the additional bulletins, beyond the fact that the company had finished testing them.

Last year, Microsoft had to recall at least 23 patches, due in part to incomplete testing. This month's late inclusions may be a sign that Microsoft is being more conservative when deciding which patches to issue. Only when these patches were completed were they added to the monthly patch release.

"In the end, you want that update to install smoothly for everybody," Kandek said. "You want to make sure you get as little breakage as possible."

For this month, four of the seven bulletins are ranked as critical -- the highest priority -- and the remaining were deemed important. In total, this month's release of patches covers 31 vulnerabilities.

The critical bulletin covering IE, MS14-010, addresses 24 previously reported vulnerabilities, including one that is already publicly known. The most severe of these vulnerabilities could allow for remote code execution that could be triggered by a user visiting a maliciously crafted Web page.

Two other critical bulletins address flaws in the Windows operating system. One critical vulnerability lies in the VBScript Scripting Engine, covered by MS14-011. The second is found in the Direct2D hardware acceleration software and is addressed by MS14-007. Both could lead to remote execution attacks as well.

The final critical bulletin for February, MS14-008, addresses a privately disclosed vulnerability in Microsoft Forefront Protection for Exchange. The vulnerability could be exploited by a maliciously crafted email message sent to a Microsoft Exchange server monitored by Forefront security software.

Microsoft discontinued Forefront in 2012, though it will continue supporting the software with bug fixes through 2015, according to security firm Lumension.

The remaining important vulnerabilities cover issues found in Microsoft .Net and Microsoft Windows.

Kandek also urged administrators to apply Adobe's emergency patch for Flash, which was issued last week.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityExploits / vulnerabilities

More about Adobe SystemsIDGLumensionMicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts