February's Patch Tuesday is All About IE
Microsoft released a sweeping set of 56 security fixes described across nine bulletins as part of its regularly scheduled “Patch Tuesday” updates yesterday. But fully 41 of those fixes are all contained in a single bulletin for all supported versions of Internet Explorer. And some of these fixes apply to IE 6, which shipped with Windows Server 2003 twelve years ago.
(Internet Explorer 6 had previously shipped with Windows XP in 2001, of course, but since Windows XP is no longer supported, that OS did not receive these updates.)
“This security update resolves one publicly disclosed and forty privately reported vulnerabilities in Internet Explorer,” the Security Update for Internet Explorer (3034682) bulletin notes. “The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
That “publicly disclosed” bit is a jab at Google, which revealed the noted IE flaw—and a few others—in January despite Microsoft’s pleas to give it more time to fix the problem. But these flaws impact all supported versions of IE, dating back to IE 6 on Windows Server 2003, but also IE 7, 8, 9, 10 and 11.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
The other critical bulletin from the February set of updates is MS15-010, or Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. It’s rated as critical on all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1, and as important on Windows Server 2003, Windows Vista, and Windows Server 2008.
“This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Windows,” the bulletin explains. “The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType fonts.”
You can find the complete set of bulletins for February 2015—as well as previous months—on the Security TechCenter web site. But a breakdown of the remaining bulletins includes:
MS15-011 – Vulnerability in Group Policy Could Allow Remote Code Execution – Rated as critical, resolves a privately reported vulnerability in Microsoft Windows.
MS15-012 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution – Rated as important, resolves three privately reported vulnerabilities in Microsoft Office.
MS15-013 – Vulnerability in Microsoft Office Could Allow Security Feature Bypass – Rated as important, resolves one publicly disclosed vulnerability in Microsoft Office.
MS15-014 – Vulnerability in Group Policy Could Allow Security Feature Bypass – Rated as important, resolves a privately reported vulnerability in Microsoft Windows.
MS15-015 – Vulnerability in Microsoft Windows Could Allow Elevation of Privilege – Rated as important,
MS15-016 – Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure – Rated as important, resolves a privately reported vulnerability in Microsoft Windows.
MS15-017 – Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege – Rated as important, resolves a privately reported vulnerability in Virtual Machine Manager (VMM).