Microsoft today delivered its monthly Patch Tuesday update, providing fixes for 37 unique common vulnerabilities and exposures (CVEs)—26 of which affect Microsoft’s Internet Explorer.
The 25 CVEs for IE are all patched inside the MS14-051 security bulletin. In the bulletin, Microsoft notes that 25 of the CVEs were privately reported and one CVE was previously publicly disclosed. The one publicly disclosed IE vulnerability is identified as CVE-2014-2819.
“These vulnerabilities are caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing script to be run with elevated privileges,” Microsoft warned in its security bulletin.
Alongside the August Patch Tuesday update, Microsoft has also created a new rating for its exploitability index. Microsoft first debuted its exploitability index back in 2008 as a way to help inform end-users about the likelihood that a vulnerability could be exploited. Starting with this month’s Patch Tuesday, Microsoft has now added a new 0 rating, which is being used for the MS14-051 bulletin. The 0 rating means that the exploitation of vulnerabilities has been detected.
“The 0 rating on the exploitability index is long overdue and a great addition,” Tyler Reguly, manager of security research at Tripwire told eWEEK. “This is a good way for people to quickly look and see what is a risk for them today, instead of having to read the full bulletin to make that determination.”
Eric Cowperthwaite, vice president, advanced security and strategy, Core Security, told eWEEK that he likes the addition of the 0 designation for the exploitability index. “It’s good that Microsoft is being very explicit that something is currently being exploited in the wild,” Cowperthwaite said. “Security teams, IT operations teams, etc., need to pay very close attention to anything with a 0 designation; it’s serious and needs attention.”
With the MS14-051 update, Microsoft is now enabling a critical new security feature in IE. The new feature is the ability to block outdated ActiveX browser controls, which can be a potential path to user exploitation. While the feature is enabled in the new IE patch, Microsoft is not yet actually blocking anything for 30 days.
“Based on customer feedback, we have decided to wait 30 days before blocking any out-of-date ActiveX controls,” a Microsoft spokesperson told eWEEK.
The spokesperson explained that IE users can employ the new logging feature to assess ActiveX controls in their environment, and deploy group policies to enforce blocking, turn off blocking ActiveX controls for specific domains or turn off the feature entirely depending on their needs
“The feature and related group policies will be available Aug. 12, but no out-of-date ActiveX controls will be blocked until Tuesday, Sept. 9,” the spokesperson stated.
Wolfgang Kandek, CTO of Qualys, said the new ActiveX blocking technology will be a a positive addition to the IE security landscape.
“It is a lightweight, common sense mechanism to get quick relief out,” Kandek told eWEEK. “IE will check every 12 hours for a new version of the file, and that will enable Microsoft to provide quick fixes for common attacks as they are documented.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.