Internet Explorer, .NET, IPv6 and Shockwave top the February 2014 Patch Tuesday list

Filed Under: Adobe, Denial of Service, Featured, Microsoft, Vulnerability, Windows

Monster super-critical Patch Tuesday for February 2013For today's Patch Tuesday, Microsoft released seven bulletins (a surprise after only announcing five last week) and Adobe released one.

There are four critical advisories, to me the most important of which is MS14-010 affecting Internet Explorer versions 6 through 10.

This patch fixes 24 vulnerabilities, one of which has been publicly disclosed.

Considering that 22 of these vulnerabilities can lead to remote code execution, this fix is priority one.

MS14-007 is a flaw in the Direct2D graphics engine in Windows 7 through 8.1, including RT.

It is also related to Internet Explorer and could result in a malicious web page exploiting this flaw to achieve remote code execution.

The last major one to look out for is MS14-011, flaws in the VBScript interpreter affecting Win XP through 8.1 (RT inclusive) and Internet Explorer versions 8 through 11.

Server editions have mitigation implemented through blocking active scripting inside Internet Explorer, but expediting this fix is still recommended.

The fourth critical flaw is a remote code execution flaw in Forefront for Exchange, while the three important vulnerabilities are in XML, .NET and the Windows IPv6 stack.

Adobe's fix is for the Shockwave Player and resolves two critical remote code execution vulnerabilities.

In addition to recommending that you remove Shockwave if you have it installed, there is another reason to avoid it.

Adobe seems to think that its job includes trying to force you to install unwanted applications along with its plugins.

AdobeBundle

In my case it tried to "opt me in" to installing Chrome. It is a dodgy practice to bundle other applications by default and even worse practice when someone is downloading a security update.

Shame on you Adobe.

For those who want to download Shockwave without the bundleware you can go to the Adobe alternates download page.

, , , , , ,

You might like

9 Responses to Internet Explorer, .NET, IPv6 and Shockwave top the February 2014 Patch Tuesday list

  1. The most important part is left out... Does this mean that Adobe prefer's Chrome's built in Pepperflash to it's own flash process?

    Is PepperFlash better?

  2. Blz · 71 days ago

    Adobe alternates page. You are joking, right. No mention of Windows 7 and the flash requirements are Windows2000XP/Vista.

  3. MikeP_UK · 71 days ago

    Such practices are often known as 'foistware' and Adobe are not the only culprits. And they have been around for a very long time. Everyone should check every, yes every, install offered to untick the foistware box. That usually means not allowing automatic downloads and installs else you get lumbered with the foistware and have to uninstall it, with all the attendant risks and troubles that has. So you have to be diligent at checking for all updates, making sure they don't install what you don't want/need and then updating manually.
    I've been doing it that way for over 20 years and it works if you are diligent.

  4. Anonymous · 70 days ago

    So Naked Security recommends uninstalling Shockwave? Isn't needed for many websites? Are their more secure alternatives?

    • HTML5 is the shockwave killer. How much removing it hits you probably depends on what kind of websites you visit - I can't remember the last website I went to that used Shockwave (or at least I haven't heard my laptop fan trying to spin off its bearings for a while).

    • Hasn't been widely used since around 2000. Don't confuse Flash with Shockwave (Sometimes Flash is called Shockwave Flash from back in the Macromedia days).

      What I always tell people (same with Java) is remove it. If you are then prompted to install it because sites you use require it, you can always reinstall it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.