December 23, 2024

Microsoft Preps Critical Internet Explorer Security Update for Patch Tuesday

Posted on September 4, 2014 by in Security

Microsoft is set to release four security bulletins next Tuesday covering issues in Windows, Internet Explorer and other products.

Only one of the bulletins – the one dealing with Internet Explorer – is rated ‘Critical.’ The other three are classified by Microsoft as ‘Important.’

“Looks like a very light round of Microsoft Patching this month,” said Ross Barrett, senior manager of security engineering at Rapid7. “Only four advisories, of which only one is critical. The sole critical issue this month is the expected Internet Explorer role up affecting all supported (and likely some unsupported) versions.  This will be the top patching priority for this month.”

Many organizations do not routinely stay up-to-date with the latest version of the browser, noted Eric Cowperthwaite, vice president of advanced security and strategy at Core Security.

“I checked with a couple recently and they are still running two or three versions of IE behind the current version,” he said. “The IE vulnerabilities are likely to impact significant portions of the enterprise computing space. Clearly the IE vulnerabilities that will allow remote code execution on every desktop OS and most server OS is the vulnerability that should be addressed first. Because it is so widespread and requires system restarts, this is going to be challenging for most IT organizations.”

The three non-critical bulletins address issues in Windows, the .NET Framework and Microsoft Lync Server. Two of the bulletins deal with denial of service issues, while the other addresses an escalation of privilege.  

“The few number of patches expected out next week doesn’t mean you can take a pass on patching this month however,” noted Russ Ernst, director of product management at Lumension. “The critical class patch is for at least one remote code execution vulnerability in IE – likely another cumulative update for the browser.”

The updates are slated to be released Tuesday, Sept. 9.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed