Microsoft today addressed a total of 37 vulnerabilities across nine bulletins as part of its August 2014 Patch Tuesday release, with 26 of those flaws coming in Internet Explorer alone. Ahead of Patch Tuesday, the company also announced two moves meant to improve the security of its beleaguered Web browser.
The "critical" Internet Explorer update, MS14-051, is just the latest in a string of large, addressed vulnerabilities across all supported versions of the browser and included fixes for several remotely exploitable weaknessesthat, if triggered, could allow attackers to gain the same account rights as a current user.
All of the IE security flaws were privately disclosed except one, CVE-2014-2819, which was revealed at last week's Black Hat conference in Las Vegas. Another patched IE vulnerability, CVE-2014-2817, received the first-ever zero rating on Microsoft's exploitability index, meaning it is currently being exploited in the wild; previously, the company had only used a scale of 1 to 3 in order to indicate the likeliness of a flaw being exploited.
Microsoft clamps down on IE security
Beyond delivering patches for IE security bugs this month, Microsoft also made two critical announcements last week should impact the security of its Web browser now and in the future.
First, the company delivered notice to IE users that it would begin blocking outdated ActiveX controls 30 days after this Patch Tuesday release. In a blog post, the company said the move was meant to press home the importance of updating ActiveX, which is not subject to automatic updates and thus susceptible to attacks similar to those that plague older versions of Java. The new IE security feature, out-of-date ActiveX control blocking, will prevent Web pages from loading outdated ActiveX controls and prompt users to update.
More importantly, Microsoft also set a deadline for moving users of older versions of Internet Explorer to newer, more secure iterations. The move, outlined in a blog post, establishes a minimum IE version, which users and organizations will need to update by Jan. 12, 2016 in order to continue receiving security support. IE9 will be the baseline for Windows Vista users, while the current and latest Internet Explorer version, IE11, will be required for Windows 7 and 8 users. Microsoft noted that corporate IE users concerned about breaking legacy Web applications should consider Enterprise Mode for IE11, which purportedly provides better backward compatibility with older versions of the Web browser.
Much like its Windows XP sun-setting, Microsoft's latest decision is bound to ruffle some feathers as older IE versions are still widely used. In fact, IE8 makes up more than one-fifth of the current browser market share alone, according to research firm Net Applications.
Still, Wolfgang Kandek, chief technology officer for Redwood City, California-based vulnerability management vendor Qualys Inc., said that the two-pronged approach to further securing Internet Explorer should be viewed as a signal from Microsoft that older versions of the Web browser simply aren't good enough from a security perspective. And while IE8 will still exist, Kandek urged enterprises and users to update IE to benefit from numerous security advancements, particularly in how the browser deals with the memory allocation problems highlighted by Young.
"Similar to Windows XP, enterprises will have plenty of time to do it," said Kandek. "Browsers should be considered a very generic piece of software that you should be able to update at any given time, and not just on this monthly cycle."
Beyond IE updates, the August Patch Tuesday release featured only one other critical bulletin, MS14-043, which resolves a privately reported vulnerability in Windows 7 and 8. The flaw is found in Windows Media Center but can be triggered via a malicious Microsoft Office file, leaving users vulnerable to remote code execution and privilege escalation.
The remaining seven bulletins were all deemed important by Microsoft and resolve a number of vulnerabilities in various versions of Windows, Office and the .NET framework. Kandek noted that MS14-046 and MS14-047, both security feature bypasses, should provide a lesson to IT security vendors that if a company like Microsoft has such vulnerabilities in its products, they should be aware of similar flaws in their own technologies and work to security them.
"There's still plenty of room for improvement for the majority of security technologies that have been developed," said Kandek.
Separately, Adobe Systems Inc. also issued a critical security update today for its Reader and Acrobat software on the Windows platform only. The patch resolves a sandbox bypass vulnerability, CVE-2014-0546, which could allow attackers to run code natively and perform privilege escalation attacks. Adobe noted that the flaw is currently being exploited in the wild as part of "limited, isolated attacks."
Need more Patch Tuesday coverage? Catch up on July's release.