Patch Tuesday: Microsoft issues critical fixes for all versions of Internet Explorer
It’s Patch Tuesday, and Microsoft has issued six security bulletins including two which are rated "critical" and allow for Remote Code Execution (RCE), and three which are labeled "important" and allow for elevation of privilege inside Windows. The final patch is rated "moderate" and fixes a Denial of Service vulnerability in the Service Bus for Windows.
The patches affect all versions of Internet Explorer, as well as most versions of Windows. XP users are at risk from these vulnerabilities, but are not covered by the updates.
The critical rated Bulletin 1 is the most important and is for all versions of Internet Explorer, from IE6 up. As most attacks go through your web browser this is a must-install.
Bulletin 2, also rated critical, fixes issues with all desktop versions of Vista, Windows 7, 8 and RT, and all servers newer than Windows Server 2003. This patch will require you to reboot your system afterwards.
Bulletins 3, 4, and 5 relate to elevation of privilege vulnerabilities affecting all versions of Windows. These are local vulnerabilities and so won’t allow hackers to execute code via the network. Their importance shouldn’t be played down, however.
Wolfgang Kandek, CTO of cloud security provider Qualys observes: "Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers gets an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in -- we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine".
The final vulnerability is addressed by Bulletin 6 and relates to a Denial of Service vulnerability in the Service Bus for Windows, a newer component of Windows in use in the Windows Azure environment for the development of loosely coupled applications. Of this Bulletin, Kandek says "In our estimate few companies will have installed that component and on Azure, Microsoft will take of the patching for you".
Keep an eye out for the new patches on Windows Update and install them as soon as possible. If you have automatic updates turned on, you’ll be prompted to reboot your system once Bulletin 2 is applied.