Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity

    Microsoft Patches 23 Security Vulnerabilities in March Update

    By
    Sean Michael Kerner
    -
    March 11, 2014
    Share
    Facebook
    Twitter
    Linkedin
      browser security

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Microsoft came out today with its monthly Patch Tuesday update, and as was the case in February, the Internet Explorer (IE) Web browser figures prominently into the total tally. Microsoft is fixing 23 different vulnerabilities in the March Patch Tuesday update, spread across five security advisories.

      Of the 23 vulnerabilities, 18 of them are directly attributable to IE. One of the IE vulnerabilities fixed this month, was first “fix-it’ and consider upgrading to IE 11, which is not at risk from the flaw.

      Security experts suggested a few possible reasons Microsoft did not provide an out-of-band patch for the CVE-2014-0322 flaw prior to today.

      “Obviously, any zero-day exploit in the wild merits significant attention from Microsoft,” Ken Pickering, director of engineering at CORE Security, told eWEEK. “I’m not sure why they wouldn’t release an out-of-band patch for it, given that fact, though it’s possible one wasn’t ready and adequately tested for deployment until this patch update.”

      Tommy Chin, technical support engineer at CORE Security, said an out-of -band patch likely wasn’t implemented because the CVE-2014-0322 flaw only affects users with IE10 that have Adobe Flash but not Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Even though the CVE-2014-0322 flaw leverages an Address Space Layout Randomization ASLR bypass, via an IE memory leak to disable data execution protection, it can only attack a very small attack surface, he added.

      In addition to the CVE-2014-0322 flaw, 17 other flaws were fixed in IE, all of which were reported privately to Microsoft.

      Six of those flaws were reported to Microsoft via Hewlett-Packard’s (HP) Zero Day Initiative (ZDI), which pays security researchers for their discoveries. HP is likely to send a few more flaws to Microsoft this week from the HP-sponsored Pwn2own browser hacking competition in which HP will pay researchers $100,000 in prize money for a successful exploit of Microsoft Internet Explorer 11 running on Windows 8.1 x64. A $150,000 prize is being offered for an exploit of Microsoft Windows Internet Explorer 11 running on a 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running.

      Silverlight

      Of particular note in the March Patch Tuesday update is a patch that affects both Microsoft as well as Apple OS X users. The MS14-014 patch fixes a security feature bypass in Microsoft’s Silverlight media technology.

      Dustin Childs, group manager at Microsoft Trustworthy Computing, noted in a blog post that the Silverlight flaw is not under active attack.
      “The update removes an avenue attackers could use to bypass ASLR protections,” Childs said. “Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×