News Stay informed about the latest enterprise technology news and product updates.

Microsoft patches vulnerabilities in Internet Explorer, Exchange

In a busy February Patch Tuesday, Microsoft fixed another critical Oracle vulnerability in Exchange. Plus, Internet Explorer received fixes.

Microsoft released 12 patch bulletins Tuesday, which deliver fixes for Internet Explorer and Windows Server. Plus, the company released a patch for yet another vulnerability from Oracle's Outside In library.

As it's one of the most common attack vectors, admins should apply the critical Internet Explorer patches immediately. IE 6 through IE 10 are all affected by the cumulative update, which patches 13 vulnerabilities within the software. The other IE bulletin deals with a vulnerability in Vector Markup Language.

At 57 total vulnerabilities patched, Microsoft nearly hit a record number set in April 2011.

Another vulnerability in Oracle's Outside In

Back in December, Microsoft released a patch for a vulnerability in WebReady Document Viewing, which used Oracle's Outside In library. This month, it's made another appearance.

Both Exchange Server 2007 SP3 and Exchange Server 2010 SP3  need  patches for the vulnerability. If a user views a malicious document in OWA, hosted on those versions of Exchange, an attacker could gain control of a system.

Early adopters can rejoice, however, as Microsoft removed the Oracle Outside In library from OWA in Exchange 2013, according to Wolfgang Kandek, CTO of Qualys Inc.

A good way to anticipate patches that fix Outside In vulnerabilities is to check Oracle's advisory pages, with a patch expected in the next month.

Last month Oracle noted that the library had a critical fix, which made its way into Microsoft's update this month.

The security fix is also part of an Exchange rollup, released Tuesday.

Other critical fixes

Microsoft also patched flaws in older operating systems. One dealt with media codecs, in which a specially crafted .mpg file could lead to an attacker taking over the system. It affects Windows Vista, Windows XP, Windows Server 2008 and Windows Server 2003.

Windows XP SP3 is the sole affected software in a critical patch dealing with Object Linking and Embedding Automation.

Windows XP will no longer be supported as of April 2014, which means Microsoft will no longer deliver security updates. Kandek suggested that bigger organizations start planning upgrades to newer software to avoid running the risk of operating potentially insecure software.

Dig Deeper on Windows Server troubleshooting

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I couldn't believe how many Office 2013 patches there were - 16 (including one for Lync) and it's not available for retail sale yet!