February 2015 Patch Tuesday Releases Critical Updates for Internet Explorer

This month’s Microsoft Patch Tuesday lists nine security bulletins released for February 2015, among which include a roll out for several vulnerabilities in Internet Explorer. This round of security updates includes three updates rated as Critical, while the remaining six were rated Important as Microsoft addressed a total of 56 CVEs. Last month’s Patch Tuesday notification did not include patches for Internet Explorer and only had one update with a Critical rating.

Critical Updates for February Patch Internet Explorer

MS15-009, MS15-010, and MS15-011 are the bulletins rated “critical” as they deal with vulnerabilities in Internet Explorer, Windows Kernel-Mode Driver, and Microsoft Group Policy, respectively. The MS15-009 bulletin is most alarming as the update applies to versions of Internet Explorer that date back all the way to versions 6 to 11. The update addresses a total of 41 different CVEs.

Important Bulletins Fix Vulnerabilities in Microsoft Office, among others
Microsoft released six bulletins rated “important,” which addresses security flaws in Microsoft Office, Windows, Group Policy, Microsoft Graphic Component, and System Center Manager. The bulletins associated with these updates are MS15-012, MS15-013, MS15-014, MS15-015, MS15-016, and MS15-017.

MS15-014 is particularly important as it addresses a single, privately reported vulnerability within Windows Group Policy (CVE-2015-0009). Microsoft describes CVE-2015-0009 as a possible security feature bypass vulnerability that exists in the Group Policy application of Security Configuration policies “that could cause Group Policy settings on a targeted system to revert to their default, and potentially less secure state.” Microsoft further writes: “An attacker could accomplish this by way of a man-in-the-middle attack that modifies domain controller responses to client requests.”

Solutions and Best Practices

Users and system administrators are strongly advised to issue the appropriate patches for these system vulnerabilities. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities following DPI rules:

1006403- Microsoft Internet Explorer ‘display:run-in’ Use-After-Free Remote Code Execution Vulnerability (CVE-2014-8967)
1006475- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0017)
1006476- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0018)
1006478- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0019)
1006480- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0020)
1006483- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0021)
1006474- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0022)
1006477- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0023)
1006502- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0025)
1006511- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0026)
1006479- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0029)
1006481- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0030)
1006484- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0035)
1006489- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0036)
1006504- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0037)
1006505- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038)
1006508- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038) -1
1006487- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0039)
1006488- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0040)
1006490- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0041)
1006492- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0042)
1006501- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0043)
1006495- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0044)
1006497- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0045)
1006499- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0046)
1006491- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0048)
1006493- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0049)
1006503- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0050)
1006494- Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-0051)
1006496- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0052)
1006498- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0053)
1006500- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0067)
1006507- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0068)
1006510- Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-0069)
1006486- Microsoft Internet Explorer Cross Domain Information Disclosure Vulnerability (CVE-2015-0070)
1006506- Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-0071)
1006470- Microsoft Excel Remote Code Execution Vulnerability (CVE-2015-0063)
1006471- Microsoft Office Remote Code Execution Vulnerability (CVE-2015-0064)
1006473- Microsoft OneTableDocumentStream Remote Code Execution Vulnerability (CVE-2015-0065)
1006482- Microsoft Windows TIFF Processing Information Disclosure Vulnerability (CVE-2015-0061)

More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: February 2015 – Microsoft Releases 9 Security Advisories.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

February 2015 Patch Tuesday Releases Critical Updates for Internet Explorer