Tenth Anniversary Patch Tuesday brings crucial Microsoft Explorer fix

Microsoft issued four critical security bulletins and four additional important bulletins covering IE, Windows and Microsoft Office

As anticipated, the latest round of Microsoft's Patch Tuesday monthly release of security fixes addresses a widely known Internet Explorer (IE) vulnerability already being exploited by malicious hackers.

Overall, for October's bundle of software patches, Microsoft issued eight bulletins covering 26 vulnerabilities. Microsoft rated four of the bulletins as critical and the other four as important.

The critical IE bulletin covers one publicly disclosed vulnerability and nine vulnerabilities not yet known by the public. The other three critical bulletins address flaws in the Windows OS. Three of the bulletins marked as important address issues with Microsoft Office, and the fourth remedies a problem in Silverlight.

Administrators should apply the patch for the IE vulnerabilities first, advised Wolfgang Kandek, chief technology officer of IT security firm Qualys.

This month's collection also marks the 10th anniversary of Microsoft's Patch Tuesday, which the company started in October 2003 in order to bundle security patches into monthly release cycles, which would allow system administrators to apply them all at the same time, rather than deal with each patch individually.

Although holding on to crucial patches for up to 30 days can be potentially problematic in terms of security -- at least for those patches that address publicly known vulnerabilities -- the monthly release cycle has been beneficial for the industry, in that it brings order to an otherwise unruly process of staying ahead of those who exploit vulnerabilities for nefarious purposes, Kandek said.

"Our perspective has certainly evolved from 10 years ago when Patch Tuesday was started. Back then vulnerabilities were clear cut and straightforward to understand. Today the amount of complexity that goes into the detection and remediation process is truly impressive," Kandek later added in an e-mail statement.

The IE public vulnerability, works by exploiting how IE accesses computer memory, allowing a maliciously designed Web page to gain user privileges on a computer. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," a Microsoft advisory warned.

When the vulnerability was made public last month, malicious hackers quickly put it to use. An exploit based on the vulnerability was added to the popular penetration testing framework Metasploit, where it could be used on its own, or as one in a chain of vulnerabilities designed to gain illicit access to computers. Most of the attacks targeted versions 8 and 9 of IE, though all currently supported versions of the browser could be affected.

The IE vulnerability might have been severe enough to warrant Microsoft issuing an out-of-band patch before this month's Patch Tuesday. Instead, the company issued instructions on how to temporarily fix the problem and scheduled the correction for this month's Patch Tuesday. The move was a wise one, Kandek said. "Every time you go out of band, it makes the work of the IT administrators harder, because they have to react to it and push out patches that they were not prepared for," he said.

Although Microsoft deemed the Office patches only as "important," Kandek advised administrators to apply these as soon as possible as well. Computers with either Microsoft Excel or Microsoft Word could be compromised by a maliciously crafted file that harnesses these vulnerabilities to gain control of the user's computer.

"You need to open a file in order to be infected," Kandek said. Qualys sees these vulnerabilities as critical because "opening a Word file or an Excel file is not much of an obstacle," Kandek said

These exploits could also prove to be dangerous in that Office tends not to be patched by administrators or users with the same frequency as IE, Kandek said.

In addition to issuing the patches this Tuesday, Microsoft also awarded a US$100,000 bounty to security researcher James Forshaw for developing a mitigation bypass technique to compromise Microsoft Windows computers by exploiting a series of bugs. Microsoft can use this technique to better understand, and defend against, entire classes of attacks, the company stated.

Adobe also issued critical patches on Tuesday for Adobe Reader and Adobe Acrobat. Kandek recommends patching this software as soon as possible as well.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the PC World newsletter!

Error: Please check your email address.

Tags patchesintrusiononline safetyMicrosoftsecuritypatch managementExploits / vulnerabilitiesmalwareDetection / prevention

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?