Internet Explorer is still the star of Patch Tuesday

Microsoft has fixed 83 flaws in its browser in the last two months.

It's déjà vu all over again. After a mind-blowing 59 separate vulnerabilities were patched in Internet Explorer last month, the Microsoft Web browser is hogging the spotlight again in July.

As predicted last week, Microsoft published six new security bulletins for the July Patch Tuesday, and only two of them are rated as Critical. There are also three Important, and one Moderate security bulletin this month. The two Critical security bulletins are a cumulative update for Internet Explorer and a patch for an issue with Windows Journal that could allow an attacker to execute malicious code remotely on the vulnerable system. The Important security bulletins address flaws with the on-screen keyboard, ancillary function driver (AFD) and DirectShow, and the Moderate security bulletin deals with a potential denial of service vulnerability in Microsoft Service Bus.

It seems concerning that Internet Explorer still has so many vulnerabilities. Microsoft has fixed 83 flaws in its browser just in the last 45 days or so. "It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal," said Marc Maiffret, CTO of BeyondTrust.

The other Critical security bulletin--MS14-038--is an example of how obscure or rarely used software can still pose a potential risk. Windows Journal is installed by default in most supported versions of Windows but isn't commonly used.

"In this case, the attack surface can be greatly reduced by uninstalling the affected software or removing associations with the unused program," said Craig Young, security researcher for Tripwire. "One of the best tactics for hardening systems is to remove software or features which are not needed. Doing so protects systems by limiting the lines of code exposed to an attacker and every line of code presents new opportunities for attacks to succeed."

"MS14-039, MS14-040, and MS14-041 fix the issues disclosed in this year's pwn2own contest via the Zero Day Initiative's responsible disclosure process," said Ross Barrett, senior manager of security engineering for Rapid7. "They are all local, elevation of privilege issues by which an unprivileged user or process may gain greater access. They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence. Now that ZDI's embargo has been fulfilled, that exploit code may become publicly available."

Tyler Reguly, manager of security research for Tripwire, sums up with this advice. "IT teams will want to focus on the two critical issues affecting Internet Explorer and Windows Journal. If you cannot apply updates immediately, there are workarounds for both of these critical flaws. Users can switch to a new browser, making sure to set the new browser as the default, and disable any Windows Journal .JNT file associations. While a patch is always preferred, limiting the attack surface is a good backup."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityInternet Explorer

More about MicrosoftRapid7Tripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts