Microsoft Internet Explorer Update Repairs 41 Critical Vulnerabilities

Microsoft issued a critical security update for Internet Explorer Tuesday, repairing 41 vulnerabilities in the browser, including a serious information disclosure vulnerability being actively targeted by criminals.

The Redmond, Wash.-based software giant issued nine security bulletins, three rated ’critical,’ as part of its February 2015 Patch Tuesday product security updates. The updates repaired 56 vulnerabilities across Internet Explorer, Microsoft Office, Windows and the company’s server software.

The Internet Explorer update includes dozens of serious memory-related vulnerabilities and flaws that could enable criminals to bypass browser security restrictions and elevate system privileges. The security bulletin impacts all currently supported versions of the browser.

[Related: Microsoft Exec Scolds Google For Security Vulnerability Disclosure 'Gotcha']

Sponsored post

"Any systems where a Web browser is used frequently, such as workstations or terminal servers, are at the most risk from these vulnerabilities," Microsoft said of three flaws that weaken built-in browser security protection. "Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this."

At least one of the information disclosure vulnerabilities are being used by attackers in multistaged attacks, according to Wolfgang Kandek, CTO of vulnerability management vendor Qualys. Kandek said attackers will exploit the browser flaw to gain information and combine it with other exploits to gain control of a targeted system.

Microsoft still has not issued an Internet Explorer update to fix a zero-day vulnerability disclosed by U.K. security consultancy Deusen in October. The cross-site scripting vulnerability was discovered in Internet Explorer 11 running on Windows 7 and exploit code has been made publicly available. The attack, demonstrated by Deusen, can change the content on legitimate websites and trick victims by keeping the legitimate website URL in the browser. Microsoft did not comment on when its engineers would fix the flaw.

Microsoft also repaired six critical vulnerabilities in all currently supported versions of Windows. One of the vulnerabilities was publicly disclosed, but the software maker said it is unaware of any active attacks targeting it.

The public disclosure came from Google's Project Zero, which gives vendors 90 days to fix bugs after reporting them. After the 90-day period, Google issues an alert with details about the coding errors. Microsoft executives are critical of Google’s 90-day window, calling it a way to publicly shame Microsoft and other software makers and putting users at risk.

The third critical bulletin addresses a remote code execution vulnerability in Windows that can enable an attacker to take complete control of a victim's machine. The attacker would need to trick a user into connecting to a malicious network. The vulnerability stems from how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller, Microsoft said.

’Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers,’ the software maker said in its advisory.

Solution providers say there is no end in sight for the long line of software vulnerabilities that attackers can choose from to gain access to corporate systems. Patching processes must be in place to ensure that updates are deployed timely to Internet-facing systems, said Jim Matteo, a channel industry veteran and CEO of San Diego-based solution provider Bird Rock Systems. In a recent interview, Matteo said restricting access to sensitive resources can also limit exposure.

’If you can restrict access to data to only those who need it within an organization, you can make it much more difficult for an attacker to gain access to those sensitive resources,’ Matteo said. ’Certainly sensitive data such as credit card information, employee data and personal customer information needs to have higher security levels; that’s a common area we talk to customers about.’

In addition, Microsoft issued a security advisory outlining an expansion of a security feature that can be used to investigate potential security issues with systems on the network. The company extended its Audit Process Creation policy to include command information that is passed to every process. If the policy is enabled, malicious commands that trigger a process will be saved as an event in the Windows Security Log. The new feature is available for systems running Windows 7, Windows 8 and Windows Server 2008 and 2012.