14 DAY TRIAL // Microsoft has recently released this month’s Patch Tuesday updates, fixing a total of 23 vulnerabilities in Windows, Internet Explorer, and Silverlight with the help of 23 different bulletins.
Two of the updates included in this new release cycle are flagged as critical, which means that system administrators should prioritize the deployment of MS14-014 and MS14-012 which are both addressing flaws in Silverlight and Internet Explorer.
First of all, the MS14-014 bulletin was specifically designed to address a security vulnerability in Silverlight which Microsoft claims was privately disclosed, so no attacks have been recorded so far.
“Specifically, the update removes an avenue attackers could use to bypass ASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, ‘The hidden harmony is better than the obvious’ - Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security,” Microsoft said in an advisory published today.
The MS14-012 bulletin, on the other hand, repairs a zero-day flaw found in Internet Explorer in February, as well as 17 privately disclosed issues.
The software giant says that all computers who have installed the Enhanced Mitigation Experience Toolkit (EMET) are fully protected and in case any attack is launched aimed at such a system, the exploit isn’t possible.
Some attacks have indeed been spotted, Microsoft says, but only against users running Internet Explorer 10 on their computers, so Windows 7 and Windows 8 adopters are basically the only ones vulnerable to attacks, as this new version of Internet Explorer is only available on Microsoft’s latest OS builds.
“These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in Security Advisory 2934088, which included a Fix it for the issue,” Microsoft said in the same security advisory.
An update for Adobe Flash Player has also been released, patching flaws that would again allow attackers to compromise a specific computer and access user data.
As usual, all patches are being delivered via Windows Update, so no user interaction is needed. A reboot is required in order to complete installation of the critical patches, so make sure you save your work before starting deploying the newly launched updates.