Large Internet Explorer update headlines June Patch Tuesday

Large Internet Explorer update headlines June Patch Tuesday

Summary: Today's updates address 66 vulnerabilities, but 59 of them are memory corruption vulnerabilities in Internet Explorer


On Tuesday, Microsoft released seven security bulletins and updates addressing a total of 66 vulnerabilities.

In total, 59 of them are in a single update, a Cumulative Update for Internet Explorer. That update and another affecting Windows and Office are rated critical. One of those IE vulnerabilities had been publicly disclosed.

  • MS14-035: Cumulative Security Update for Internet Explorer (2969262) — Nearly all of the 59 vulnerabilities fixes in this update are rated critical on at least one version of Windows and Internet Explorer, but the mix of severities and versions is complex. Microsoft credits at least 32 researchers for disclosing these vulnerabilities (some are anonymous). Microsoft has also been collecting these vulnerabilities for some time; one of them, CVE-2014-1770, was reported to Microsoft over six months ago by HP's Zero-Day Initiative. ZDI waits to disclose until the vendor issues a fix, but their rules state that they will disclose in any case after six months.

Another interesting characteristic of this update is that Microsoft includes information as to whether Windows XP is affected, although they try to be slightly oblique about it:


We can also confirm from our own testing that Windows XP systems hacked to look like Windows POSReady do receive this and other updates.

  • MS14-036: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) — This update addresses two vulnerabilities in Windows, Office 2007 and 2010 and Lync, an interesting combination of products. Both vulnerabilities are critical on at least some of the platforms.

The remaining updates are for vulnerabilities with a maximum severity of Important. Each update addresses a single vulnerability.

  • MS14-030: Vulnerability in Remote Desktop Could Allow Tampering (2969259) — This is an unusual vulnerability, which could allow an attacker to modify the traffic content of an active RDP session. It is blocked by Network Level Authentication (NLA) and good firewall practices and, in any case, Microsoft considers it unlikely that successful exploit code could be written.

  • MS14-031: Vulnerability in TCP Protocol Could Allow Denial of Service (2962478) — An attacker could cause a system to stop responding. Microsoft considers it unlikely that successful exploit code could be written.

  • MS14-032: Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258) — Lync Server content could potentially execute scripts in the user's browser to obtain information from web sessions. Microsoft considers it unlikely that successful exploit code could be written.

  • MS14-033: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061) — XML processing could allow an attacker access to more information than is proper. Microsoft considers it unlikely that successful exploit code could be written.

  • MS14-034: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261) — Word's handling of embedded fonts could be abused to give an attacker remote code execution with the same privileges as the user running Word.

Microsoft also released numerous non-security updates today. The vast majority are for Windows 8 and 8.1, a few for Windows RT and Windows Server 2012 and two for Windows 7 and Windows Server 2008 R2.

A new version of the Microsoft Malicious Software Removal Tool is also available, and runs automatically when users run Windows Update. The new version adds detection and removal for Win32/Necurs, a sophisticated rootkit that puts great effort into combating security software.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Large Internet Explorer update headlines June Patch Tuesday

    Thanks for the heads up. Kudos to Microsoft as well.
    • total failure of internet explorer in win 7 licensed copy

      Please guide me, my IE browser does not work

        I guess grab it on another computer and put it on a thumbdrive to install
      • "my IE browser does not work"..

        Bonus I'd say! Seems that MS have finally found a way to make it really secure for you... If its broke dont fix it!
        The Central Scrutinizer
    • Redmond patches 66 flaws on Patch Tuesday

      June update also brings Flash and Surface firmware fixes

      This is scheduled, no need for the heads up.
  • IE 11 update

    Class! IE 11 stopped to work after update - had to launch FixIt50195.
  • These updates are not really necessary.

    The latest versions of Internet Explorer have already made it the safest ever browser from Microsoft. It doesn't need patching!
    Owl: Net
    • Owl: Net (note the space) vs. Owl:Net

      I'd say that the real Owl:Net has a secret admirer.
      Rabid Howler Monkey
      • Neh

        He changes his name often. Not sure why tho.

        He use to be OwllllllllllllllllNet with a stupid amount of Ls
    • You need to make more spelling mistakes to properly impersonate Owl:Net

      • maybe he just got a update to IE with a better spelling corrector?

      • Then it's settled ...

        ... Owl:net is Norwegian. Smalahove is a norwegian meal consisting of a boiled sheeps head.
    • no

      It doesn't work at all
      • RE: No ...

        Can you boot the computer into safe mode?
  • Come on....

    ...they fix so many vulnerabilities every month I am beginning to wonder if there is a vulnerability in every line of code with windows/IE. Beyond pathetic
    • It's like you don't understand

      software development at all.
      Michael Alan Goff
    • Right on!

      I'm with you. I use Firefox & Chrome because they have no issues and don't have several tens of issues patched and features added every month.
      • You should really put a sarcasm tag

        or else somebody might take that as a serious response ;)
        Michael Alan Goff
        • It was a serious response!

          Check back your self through the Firefox version history and you will see that there are no tens of issues patched every month - although improvements are often offered to support other 3rd party stuff. However these are not 'security' patches to fix dozens of gaping security holes such as IE seems to require every month

          I believe Firefox currently operates on a 6 week release schedule and reading the release notes most changes are improvements and changes to the interface. Out of band emergency security updates are seldom required to be issued - unlike IE!

          So bitcrazed is very wise to use FF and Chrome - anyone who advocates the use of IE is a menace both to the IT industry and the public at large.
          The Central Scrutinizer
          • Good joke

            Instead of patching a few things every month, they get a "new version" every 6 or so weeks that patches a HUGE amount of things. Seriously, no browser is without needing to be patched for security issues.
            Michael Alan Goff