Admins have another light month of critical Patch Tuesday security fixes, but one update can be crucial in certain...
The latest cycle of Patch Tuesday security updates includes four fixes to address 42 vulnerabilities. One of the updates is ranked critical, while the other three are ranked important.
The critical update comes for 37 vulnerabilities in Internet Explorer, which could be exploited if someone views a malicious webpage using the browser.
The three important bulletins address denial of service (DoS) and elevation of privilege vulnerabilities. The update addresses a DOS vulnerability in the NET Framework that could be exploited if attackers send requests to affected websites that NET enables.
The bulletin is marked as important because ASP.NET and Internet Information Services (IIS) isn't installed on any supported versions of Windows by default; customers must enable and install it. But for those who enable it, this update is crucial.
"It's a light patch cycle, but it could prove critical for IE users or those who run ASP.NET and IIS," said Amol Sarwate, vulnerability labs manager for Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.
"If you are a server administrator, if you are running IIS, you should patch this," Sarwate said.
The IE zero-day vulnerability addressed in this update allows remote attackers to examine error codes, Sarwate said.
This examination allows attackers to determine the existence of local pathnames, universal naming convention share pathnames, intranet hostnames and intranet IP addresses. Specific malware could change its attack strategy if the Enhanced Migration Experience Toolkit or antimalware software is installed on the target system, he added.
The other important updates in this cycle address an elevation of privilege vulnerability with Windows Task Scheduler in multiple versions of Windows and DoS vulnerabilities with multiple versions of Microsoft Lync. The Lync vulnerabilities fix issues with the server, which could allow unauthenticated attackers to remotely send malicious session initiation protocol requests, Sarwate said.