James Thew - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Microsoft issues critical IE patch, introduces whitelisting

Microsoft patched two publicly known vulnerabilities in the August Patch Tuesday update. The company also introduced plug-in whitelisting in IE.

Microsoft released nine bulletins in this month's Patch Tuesday updates, with one deemed a high-priority fix for Internet Explorer, according to security researchers. 

Microsoft was aware of two of the 26 vulnerabilities, which have already been used in attacks. Industry observers anticipate that attackers will attempt to quickly capitalize on these vulnerabilities in the hopes that workstation PCs are not patched in a timely manner.

 It's important to apply this IE patch update first, said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.

A Media Center vulnerability in certain versions of Windows is also rated as critical. Through this vulnerability an attacker could create an Office file that uses Media Center resources to gain access to a user's rights privileges.

Microsoft SQL Server also received a patch, rated important, for an elevation of privilege vulnerability. Microsoft SQL Server is not patched frequently, which could leave it prone to attack, said Amol Sarwate, vulnerability labs manager for Qualys.

Other important vulnerabilities are present in SharePoint, kernel-mode drivers and.NET frameworks. A full list of bulletins is available on Microsoft's site .

The number of bulletins issued in 2014 rose to 51 this month, but were still down from the 66 issued this time last year.

Internet Explorer gains whitelisting features

Microsoft updated all supported versions of Internet Explorer with a whitelisting function, which is designed to stop the use of out-of-date ActiveX controls. In practice, Internet Explorer would disable a plug-in from running until explicitly given permission. One primary example of this is the often attacked Java browser plug-in, said Sarwate.

Google's Chrome browser has a similar feature called Click-To-Play, Kandek said.

One difference, Kandek noted, is the IE feature explicitly blocks plug-ins on the internet but does not block them from trusted areas such as a corporate intranet.

Beyond that, administrators can take advantage of Group Policy settings that block all plug-ins from functioning, Kandek said.

The whitelisting feature goes into effect next month, but the program is logging plug-in use attempts.

Beginning in 18 months, Microsoft will only support the latest version of Internet Explorer on supported operating systems, signaling the end for IE 8 support.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.