Internet Explorer, Windows Server Service Bus receive patches

Windows Server admins will see some familiar security updates alongside rarer updates in this month's Patch Tuesday cycle.

Microsoft released six bulletins in this month's batch of security updates. Two are critical, three are important and one is moderate.

Both critical updates address remote code execution vulnerabilities. One of the updates addresses 24 reported vulnerabilities in Internet Explorer (IE), which may be affected if end users visit certain malicious webpages with IE. The update supports IE versions 6 through 11 on affected Windows clients.

Windows administrators should focus on installing this patch on systems, as the vulnerabilities can relinquish control of the browser to an attacker, said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, California.

The second critical update addresses a vulnerability in Windows Journal, which could be exploited if an end user opens an infected Journal file. The update affects Windows Vista clients and higher as well as Windows Server 2008 clients and higher.

Windows Journal shipped with Windows XP, and though it is a rarely used operating system component, it raises an important point about inventorying what applications OSes run.

"This tendency of having everything installed and everything enabled increases your attack surface," Kandek said. 

All three important updates address elevation of privilege vulnerabilities. One of these updates, which affects Windows Server 2003 clients and up, addresses a vulnerability in the On-Screen Keyboard (OSK) and may be exploited if attackers use the vulnerability to execute OSK and then upload malicious programs to the end user's system.

The other important updates address vulnerabilities in the Ancillary Function Driver on all supported versions of Windows and in DirectShow on Windows Vista and up as well as Windows Server 2008 and up.

This Patch Tuesday includes a rare moderate security update, which addresses a denial of service vulnerability in Microsoft Service Bus in Windows Server 2008 and higher. The vulnerability could be exploited if remote attackers are authenticated and send malicious Advanced Message Queuing Protocol messages.

The moderate status is because Service Bus does not automatically ship with Microsoft OSes. Vulnerable systems are those with Service Bus installed and configured, in addition to having their end users sharing details of the farm certificate and configuration details, Microsoft said.

The complete list and details of each security update in this month's Patch Tuesday cycle are available on Microsoft's site.