Microsoft came out today with its monthly Patch Tuesday update, this time patching a total of 29 common vulnerabilities and exposures (CVEs). Of the 29 CVEs, 24 are attributed to Microsoft’s Internet Explorer (IE) Web browser.
All of the IE vulnerabilities are detailed in the MS14-037 security bulletin. While the 24 fixed IE CVEs in the July Patch Tuesday update might seem like a large number, in fact it is less than half of the 59 IE vulnerabilities that Microsoft fixed in the June Patch Tuesday update last month.
Of the 24 IE vulnerabilities in IE fixed this month, 10 were discovered by networking vendor Palo Alto Networks.
“The Palo Alto Networks threat research team proactively examines widely used software such as Internet Explorer for critical, unknown vulnerabilities,” Scott Simkin, senior cyber analyst at Palo Alto Networks, told eWEEK. “We do this through a combination of proprietary automated tools and manual human intelligence.”
Palo Alto’s research team is committed to ferreting out vulnerabilities, and sharing them with Microsoft for patching, as well as creating protections for its own customers, Simkin said. The 10 vulnerabilities reported by Palo Alto affect IE versions 6, 7, 8, 9, 10 and 11. All of the Palo Alto Networks reported IE flaws are memory-corruption vulnerabilities that could potentially enable a full remote code execution.
Also among the IE fixes are four (CVE-2014-1763,CVE-2014-1765, CVE-2014-2809 and CVE-2014-2813) that were reported to Microsoft via the Hewlett-Packard Zero Day Initiative (ZDI).
Ross Barrett, senior manager of security engineering at Rapid7, noted that among the July Patch Tuesday updates are issues that were first disclosed by ZDI to Microsoft at the Pwn2own browser hacking challenge back in March.
“They are all local, elevation-of-privilege issues by which an unprivileged user or process may gain greater access,” Barrett stated. “They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence.”
The continued patching of IE isn’t a surprise for Robert Freeman, manager of X-Force Research at IBM Security. “IE is a ripe target for attackers since many organizations have IE set up as the default browser,” Freeman told eWEEK. “The challenge with this is it doesn’t make it easy for organizations to avoid IE’s growing vulnerabilities.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.