Microsoft Surprises With Internet Explorer Patch Tuesday Update
Microsoft expands the number of security bulletins and tackles 24 vulnerabilities in Internet Explorer.Microsoft has issued its monthly Patch Tuesday update for February, and unlike Microsoft's January update, this one has at least one big surprise in it. Before every Patch Tuesday event, Microsoft issues an advance notification to give administrators and users a sneak peek at what is coming. For the February Patch Tuesday advance notification, Microsoft initially indicated that there would be five security bulletins, none of them including the Internet Explorer (IE) Web browser. As it turns out, Microsoft today is releasing seven security bulletins, including a massive IE update that addresses no less than 24 vulnerabilities. The IE security update impacts versions 6 through 11 and includes 23 privately reported vulnerabilities and one that was publicly disclosed. Twenty-one of the IE vulnerabilities are grouped together by Microsoft in its security bulletin under the heading "Multiple Memory Corruption Vulnerabilities in Internet Explorer."
"Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory," Microsoft warns. "These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."
"The explanation that they had a technical problem makes much more sense, after all, we can see that there were many vulnerabilities addressed," Kandek said.
Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK that he had been told that the IE update was originally delayed due to incomplete testing. "They worked over the weekend to complete the testing and get it out," Barrett said. Beyond the surprise critical IE update, there is at least one other bulletin to take note of. MS14-009 details vulnerabilities in the .NET framework. Reguly noted that flaws fixed are related to Slowloris, a low-bandwidth denial of service (DoS) attack. The Slowloris attack was first publicly discussed in 2009. "There weren't a lot of defenses in place previously," Reguly said. "I'm not saying that I'm surprised they'd patch this, it's actually great to see this issue resolved. It's just surprising that it would take this long to get around to doing it." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.