Security

February's Patch Tuesday is All About IE

Microsoft released a sweeping set of 56 security fixes described across nine bulletins as part of its regularly scheduled “Patch Tuesday” updates yesterday. But fully 41 of those fixes are all contained in a single bulletin for all supported versions of Internet Explorer. And some of these fixes apply to IE 6, which shipped with Windows Server 2003 twelve years ago.

(Internet Explorer 6 had previously shipped with Windows XP in 2001, of course, but since Windows XP is no longer supported, that OS did not receive these updates.)

“This security update resolves one publicly disclosed and forty privately reported vulnerabilities in Internet Explorer,” the Security Update for Internet Explorer (3034682) bulletin notes. “The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

That “publicly disclosed” bit is a jab at Google, which revealed the noted IE flaw—and a few others—in January despite Microsoft’s pleas to give it more time to fix the problem. But these flaws impact all supported versions of IE, dating back to IE 6 on Windows Server 2003, but also IE 7, 8, 9, 10 and 11.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

The other critical bulletin from the February set of updates is MS15-010, or Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. It’s rated as critical on all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1, and as important on Windows Server 2003, Windows Vista, and Windows Server 2008.

“This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Windows,” the bulletin explains. “The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType fonts.”

You can find the complete set of bulletins for February 2015—as well as previous months—on the Security TechCenter web site. But a breakdown of the remaining bulletins includes:

MS15-011 – Vulnerability in Group Policy Could Allow Remote Code Execution – Rated as critical, resolves a privately reported vulnerability in Microsoft Windows.

MS15-012 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution – Rated as important, resolves three privately reported vulnerabilities in Microsoft Office.

MS15-013 – Vulnerability in Microsoft Office Could Allow Security Feature Bypass – Rated as important, resolves one publicly disclosed vulnerability in Microsoft Office.

MS15-014 – Vulnerability in Group Policy Could Allow Security Feature Bypass – Rated as important, resolves a privately reported vulnerability in Microsoft Windows.

MS15-015 – Vulnerability in Microsoft Windows Could Allow Elevation of Privilege – Rated as important,

MS15-016 – Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure – Rated as important, resolves a privately reported vulnerability in Microsoft Windows.

MS15-017 – Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege – Rated as important, resolves a privately reported vulnerability in Virtual Machine Manager (VMM).

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Paul Thurrott is an award-winning technology journalist and blogger with over 20 years of industry experience and the author of over 25 books. He is the News Director for the Petri IT Knowledgebase, the major domo at Thurrott.com, and the co-host of three tech podcasts: Windows Weekly with Leo Laporte and Mary Jo Foley, What the Tech with Andrew Zarian, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: