Time to patch Internet Explorer again

While the entire world was focused on the Apple media event today, and the unveiling of the iPhone 6, iPhone 6 Plus, and the Apple Watch, it also happened to be the second Tuesday of the month, which makes it Patch Tuesday. It was a light month–with four total security bulletins, only one of which is rated as Critical–but [inlinetweet prefix=”” tweeter=”” suffix=””]Internet Explorer is once again the primary focus[/inlinetweet].

I actively use Internet Explorer, and I have never really jumped on the anti-IE bandwagon. Month after month after month of Internet Explorer dominating the Patch Tuesday news, however, does make me think twice about the Microsoft browser. The other browsers have security flaws as well, and Microsoft does a seemingly good job of identifying and resolving issues in Internet Explorer, but it seems like many Microsoft Patch Tuesdays would be trivial, almost meaningless events for most users if you take IE out of the equation.

I wrote about this month’s Patch Tuesday updates in this blog post:

It’s hard to imagine that we are already three-fourths of the way through 2014—at least as measured by Microsoft Patch Tuesdays. Today, Microsoft released four new security bulletins, but only one of them is Critical. Guess which one?

Yes. Internet Explorer. Once again Microsoft’s web browser takes center stage as the most crucial of the Patch Tuesday security bulletins. Microsoft resolved a grand total of 42 separate vulnerabilities this month, but 37 of those 42 are addressed in MS14-052—the cumulative update for Internet Explorer. One of the flaws fixed by MS14-052 is publicly known and actively under attack in the wild, which is why this security bulletin is Critical.

“The bulletin fixes zero day vulnerability CVE-2013-7331, which can be used to leak information about the targeted machine,” says Qualys CTO Wolfgang Kandek in a blog post. “CVE-2013-7331 allows attackers to determine remotely through a webpage the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes. This capability has been used in the wild by malware to check if anti-malware products or Microsoft’s Enhanced Mitigation Toolkit (EMET) is installed on the target system and allows the malware to adapt its exploitation strategy.”

Click here to read the full story at PCWorld: Internet Explorer steals the Patch Tuesday spotlight again.

Tony Bradley: I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.
Related Post