Microsoft unloads monster-sized can of bug spray on Internet Explorer, again
Another month, another 37 vulnerabilities to fix
True to form, Microsoft has released its latest batch of monthly security fixes, although as expected, September's Patch Tuesday update is a relatively light one.
As Redmond warned us, the only critical patches this time around are included in a big roll-up of fixes for Internet Explorer, which addresses one publicly disclosed vulnerability and 36 more that hadn't previously been disclosed.
According to Microsoft's security bulletin on the patches, every version of IE going back to IE6 is affected, although only IE7 and later have critical bugs that need fixing.
The worst of the vulnerabilities could reportedly allow remote code execution on Windows machines, where an attacker could gain the same security privileges as the current user.
The issues detailed in the other three security bulletins published on Tuesday aren't as serious, although they're still ranked as "important" by Redmond's own security standards.
One server-oriented bulletin discloses a flaw in the .Net Framework that could allow an attacker to carry out a denial-of-service attack against a Windows Server–hosted website that has ASP.Net installed and enabled.
Similarly, a bug in Lync Server can allow an attacker to knock down the server by sending it specially crafted requests.
Finally, a bug in the Windows Task Scheduler can allow an attacker to gain elevated security privileges, provided they can logon to a machine and run custom software to do it. The latter flaw only affects Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2.
While Microsoft's patch batch was relatively small, however, a few other expected patches didn't arrive. Although Adobe has been timing its own security fixes to coincide with Microsoft's and it earlier said it had a few ready for Tuesday, on Monday it said those patches will be delayed until next week so it can have more time to test them. ®