Microsoft fixes 59 IE flaws in June Patch Tuesday
Microsoft has fixed 66 flaws in this month’s Patch Tuesday, 59 of which apply to Internet Explorer.
As expected as part of Microsoft’s monthly update cycle, the company released two critical bulletins, MS14-035 and MS14-036, which apply to IE, and Windows, Office and Lync respectively.
According to Microsoft, MS14-035 deals with two publicly disclosed vulnerabilities and 57 that were not yet widely known about.
The company said the most severe of the bugs patched by MS14-035 allows remote-code execution following a waterholing attack, where a user visits a malicious website designed to target a specific group of people.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” Microsoft said, adding those with administrative rights would therefore be worst affected.
The update is critical for IE 7 to IE 11 running on Windows desktop computers and important for IE 6 to IE 11 running on Windows Server.
MS14-036 patches two remote-code execution vulnerabilities, which could be exploited through a compromised file or web page.
It is rated critical for Windows Vista and newer, Live Meeting 2007, Lync 2010 and Lync 2013, and important for Office 2007 and 2010.
The remaining five patches are all rated important. The first, MS14-034 covers another remote code execution vulnerability, this time in Word 2007 and Office Compatibility Pack.
MS14-033 and MS14-032 both deal with information disclosure vulnerabilities in Microsoft XML Core Services affecting Windows Vista and newer, and Lync Server respectively.
MS14-033 also affects Windows Server 2003 and newer, although it is rated low for those instances.
MS14-031 also affects all currently supported versions of Windows, as well as Windows Server 2008 and Windows Server 2012, addressing a vulnerability in TCP protocol that could allow denial of service.
Finally, MS14-030 fixes a vulnerability in Windows 7, Windows 8 and Windows 8.1, which could allow tampering during a remote desktop session.
For early adopters of Windows 8.1, this will be the last time the operating system receives an automatic update unless they have installed Windows 8.1 Update, issued in April.
The security bulletin can be read in full here.
Microsoft has also used the opportunity of Patch Tuesday to issue firmware updates for the Surface 2 and Surface Pro 2.