Patch Tuesday: Internet Explorer needs critical patches, again

In a very light set of security bulletins, Microsoft will issue just one that it's ranking critical and it involves Internet Explorer.

In a very light set of monthly security bulletins, Microsoft will issue just one that it's ranking critical and it involves Internet Explorer.

If left unpatched, the browser is subject to attacks that execute malicious code on victim machines, so getting the updates to patch it is important, says Ross Barrett, a security engineer at Rapid7. "This will be the top patching priority for this month," he says.

+[Also on Network World: Surface Pro 3: A great business desktop and a pretty good laptop, too; Microsoft targets Apple, Samsung with cheaper flagship Lumia]+

In addition to the threat posed by the vulnerabilities that the patches correct, these critical browser updates will be challenging for IT organizations, says Eric Cowperthwaite, vice president of advanced security & strategy, Core Security. Installing the updates requires system restarts and the browser in all its versions is widely distributed among organizations. "We don't yet know if there are active exploits in the wild, but there may well be. And, even if not, this appears to be something that is likely to have exploits developed in the near future," Cowperthwaite says.

Vulnerable versions include IE 6, 7, 8, 9, 10, and 11 running on desktop Windows Vista, Windows 7 and Windows 8.1 as well as Windows Server 2003, 2008 and 2012.

The bulletin about the Internet Explorer problems is likely to include a roll-up of fixes for any number of vulnerabilities found over the past month, says Ross Barrett, a security engineer at Rapid7.

The rest of this month's bulletins are rated important, which means that attacks against these vulnerabilities require some action on the user's part in order to succeed. Still, one bulleting warns against vulnerabilities that could lead to escalation of privilege on compromised Windows 8 and 8.1 machines and Server 2012 and 2012 RT, says Jon Rudolph, a senior software engineer at Core Security.

A third bulletin addresses flaws in Windows Server 2003, 2008 and 2012 and Windows Vista, 7, 8, and 8.1 that could lead to DDoS attacks against the machines. The final bulletin involves Lync Server 2010 and 2013 and also addresses problems that could lead to DDoS attacks.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftApplesoftwarePatch TuesdaypatchesRapid7Internet Exploer 8Microsodft

More about AppleMicrosoftRapid7Samsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

More videos

Blog Posts

Market Place