Microsoft patches vulnerabilities in Internet Explorer, Exchange

In a busy February Patch Tuesday, Microsoft fixed another critical Oracle vulnerability in Exchange. Plus, Internet Explorer received fixes.

Microsoft released 12 patch bulletins Tuesday, which deliver fixes for Internet Explorer and Windows Server. Plus, the company released a patch for yet another vulnerability from Oracle's Outside In library.

As it's one of the most common attack vectors, admins should apply the critical Internet Explorer patches immediately. IE 6 through IE 10 are all affected by the cumulative update, which patches 13 vulnerabilities within the software. The other IE bulletin deals with a vulnerability in Vector Markup Language.

At 57 total vulnerabilities patched, Microsoft nearly hit a record number set in April 2011.

Another vulnerability in Oracle's Outside In

Back in December, Microsoft released a patch for a vulnerability in WebReady Document Viewing, which used Oracle's Outside In library. This month, it's made another appearance.

Both Exchange Server 2007 SP3 and Exchange Server 2010 SP3  need  patches for the vulnerability. If a user views a malicious document in OWA, hosted on those versions of Exchange, an attacker could gain control of a system.

Early adopters can rejoice, however, as Microsoft removed the Oracle Outside In library from OWA in Exchange 2013, according to Wolfgang Kandek, CTO of Qualys Inc.

A good way to anticipate patches that fix Outside In vulnerabilities is to check Oracle's advisory pages, with a patch expected in the next month.

Last month Oracle noted that the library had a critical fix, which made its way into Microsoft's update this month.

The security fix is also part of an Exchange rollup, released Tuesday.

Other critical fixes

Microsoft also patched flaws in older operating systems. One dealt with media codecs, in which a specially crafted .mpg file could lead to an attacker taking over the system. It affects Windows Vista, Windows XP, Windows Server 2008 and Windows Server 2003.

Windows XP SP3 is the sole affected software in a critical patch dealing with Object Linking and Embedding Automation.

Windows XP will no longer be supported as of April 2014, which means Microsoft will no longer deliver security updates. Kandek suggested that bigger organizations start planning upgrades to newer software to avoid running the risk of operating potentially insecure software.

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close