Yesterday, Microsoft released its regularly scheduled set of Patch Tuesday security updates. The light release was more notable for what it didn’t include than what it did include—Microsoft still hasn’t patched a vulnerability demonstrated at the Pwn2Own hacker event earlier this year.
Computerworld’s Joab Jackson reported, “System administrators and IT security pros can take bit of a breather: Microsoft issued a comparatively light set of patches for this edition of its monthly release of software vulnerability fixes. ‘It’s a boring Patch Tuesday this month, and that’s an excellent thing for IT security teams because there won’t be a mad dog rush to get this month’s patches deployed,’ wrote Andrew Storms, director of security operations for security firm nCircle, in an email statement.”
Brian Prince with eWeek explained, “Microsoft patched 14 security vulnerabilities today in its Patch Tuesday update, including critical bugs affecting Windows and Internet Explorer. To address the vulnerabilities, Microsoft released a total of nine security bulletins this month, including two bulletins ranked ‘critical.’ Both of the critical bulletins, which affect Internet Explorer and Windows Remote Desktop Client, address vulnerabilities that could be exploited to permit an attacker to remotely execute code. According to Microsoft, the issues covered by the two bulletins can be exploited if an attacker tricks a user into viewing a specially crafted Web page.”
ZDNet’s Zack Whittaker advised, “Because the attack vector is higher on more Windows-based machines, the first critical flaw affecting Internet Explorer should be first on the agenda. The second critical bulletin affects the Remote Desktop Client that could allow another such malware injection, which would give the attacker the same user rights as the logged-in user, just as the first flaw. Both patches fixing the two critical vulnerabilities require the machine to be restarted.”
Sean Michael Kerner with eSecurity Planet noted, “Though Microsoft is patching a good number of flaws, it is not patching vulnerabilities that were publicly demonstrated at the Pwn2Own 2013 event in March. Security research group VUPEN was able to exploit Internet Explorer 10 with a pair of zero day flaws as part of the event. The full exploit details were then privately given to Microsoft by event organizer HP TippingPoint. Microsoft did not patch the Pwn2Own flaws in its March Patch Tuesday update either.”