Microsoft has released a critical fix for vulnerabilities in its popular Internet Explorer web browser, as a part of its latest monthly Patch Tuesday update.
The Internet Explorer (IE) update is one of two critical updates this month and could theoretically be used by hackers to mount remote code-execution attacks.
Qualys CTO Wolfgang Kandek said, while serious, none of the vulnerabilities are zero-day, meaning their potential use to hackers is limited.
“There are no zero-days open for IE, which would dictate the shortest turnaround possible for the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation,” he said.
The second critical bulletin relates to Microsoft’s now ancient Windows XP Tablet Edition, and its Windows Journal note-taking application. Kandek said the esoteric nature of the vulnerability means it is unlikely hackers will bother creating exploits to target it, though IT managers should still install the patch.
“I actually had to look up what Windows Journal is, because I had never heard of it. Journal is a ‘notepad’ for handwritten notes and first made its appearance in Windows XP Tablet Edition, so this is a vulnerability that really does not apply to a normal Windows XP system,” he said.
“However after XP, it has been included by default in all subsequent Windows versions: Vista, 7 and 8, and can be attacked through a specially formatted input file. The attack vector can be through web-browsing, email or IM, or any other means that can be used to send you a .JNT file. Given its obscurity and the potential for more file format problems it is probably a reasonable measure to disable the file extension .JNT.”
The July Patch Tuesday release also includes three “important” updates plugging flaws in Windows On-Screen keyboard, afd.sys driver and DirectShow service. All three could be used by hackers to provide local escalation of privileges.
There is also a fix for a “moderate” flaw in Windows Service Bus that could be exploited to mount a denial-of-service attack.
Internet Explorer flaws have been an ongoing issue for Microsoft. The company was forced to issue 59 Internet Explorer fixes as part of its June Patch Tuesday update.