Microsoft debugs Explorer, Windows with Patch Tuesday updates

Critical IE patches address vulnerabilities that could lead to remote code execution

Another month of security updates from Microsoft means, once again, another round of fixes for the company's Internet Explorer (IE) Web browser, as well as a set of updates for the Windows operating system, for both the server and desktop editions.

Overall, Microsoft has issued six bulletins in July's "Patch Tuesday" collection of software fixes. Microsoft issues these collections on the second Tuesday of each month, hence the name "Patch Tuesday."

Two of the patches are marked as critical, meaning they address defects in Microsoft's software that could be readily exploited by malicious attackers to compromise systems. One of the critical bulletins is for IE, and the other one is for Windows.

Three of the remaining bulletins are denoted as "important" by Microsoft and one as "moderate." These bulletins cover Windows and the messaging component of Windows Server.

A single bulletin may cover multiple patches for a single piece of software, such as Microsoft Windows.

Wolfgang Kandek, chief technology officer for security firm Qualys, advised administrators to look at the IE patches first. IE update MS-14-037 addresses one publicly disclosed vulnerability and 23 privately reported vulnerabilities. The critical patches in this set all address vulnerabilities that could lead to remote code execution, which would allow an attacker to gain privileges on a machine by tricking a user to view a specially crafted Web page using the browser.

The critical Windows update MS14-038 covers a remote execution vulnerability that originates in a faulty way for how Windows opens files in the Windows Journal file format. Windows Journal is Microsoft's software for capturing handwritten notes on a computer. It can be used not only for touch-enabled devices, but also for other non-touch Windows computers to read files in that format.

If an organization does not use the Journal format, it may be a good idea to turn off the capability altogether in its Windows machines, so as to reduce the "attack surface" of these computers, Kandek said. In general, it is a good idea to turn off any unneeded services in computers if an administrator has the time to do this, he said.

While administrators are in the mode of testing and applying software patches, they should also take a close look at the critical patches Adobe has issued Tuesday for its Flash player.

Oracle shops should also prepare for Oracle's quarterly round of patches, due to be issued Thursday.

IE tends to get the most of the fixes in Patch Tuesday not necessarily because it is inherently more buggy than other Microsoft software, but because it is widely used software that could provide an entry point for outsiders to break into the computers that run the browser. As a result, it is under such scrutiny by both malicious attackers and security researchers.

IE is not necessarily any more buggy than other popular browsers, such as Google Chrome or Mozilla's Firefox. Both Google and Mozilla have automatic updates for their browsers, so a vulnerability can get addressed as soon as the developers create a patch to fix the problem, noted Amol Sarwate, the director of Qualys' Vulnerability Labs. As a result, such bugs and their attendant fixes are rarely called out in the press, unless they are critical in nature.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecuritypatch managementExploits / vulnerabilities

More about Adobe SystemsGoogleIDGMicrosoftMozillaOracleQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts