Aerosol Posted February 14, 2015 Report Posted February 14, 2015 Microsoft has released three critical security patches, including fixes for flaws in Internet Explorer leaving users open to attack, in its latest Patch Tuesday update.The Internet Explorer update is listed as 'critical' as it could be used to remotely execute code on a victim's system."This security update resolves one publicly disclosed and 40 privately reported vulnerabilities in Internet Explorer," read Microsoft's advisory."The most severe of these could allow remote code execution if a user views a specially crafted webpage using Internet Explorer."An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user."The remaining 'critical' fixes relate to flaws in Microsoft's Windows Kernel-Mode Driver and Group Policy, some of which can also be remotely exploited."The most severe of the [kernel] vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType fonts," read the advisory."The [Group Policy] vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network."The February Patch Tuesday also included 'important' fixes for Windows, Office, Group Policy and Microsoft's Virtual Machine Manager.These flaws could potentially be exploited for a variety of purposes, including elevation of privileges, information disclosure and security bypasses.Ross Barrett, senior manager of security engineering at Rapid7, highlighted the Virtual Machine Manager update as the most interesting of the 'important' fixes."Hypervisor and virtual machine management applications are often overlooked in routine patching and can be a challenge for administrators to locate on their network," he said."Those going to patch may find the system requires an update rollup or other patches prior to this patch being offered, which could hide a vulnerable state."Internet Explorer has been a constant source of security problems over the past year. Researcher David Leo uncovered a new Internet Explorer zero-day vulnerability affecting Windows 7 and Windows 8.1 earlier in February.Microsoft issued 200 updates in 2014 fixing a multitude of bugs in the ageing browser.Source Quote
