Microsoft adds two critical updates to Patch Tuesday at the last minute

Last week Microsoft revealed that there would be five new security bulletins for today’s Patch Tuesday. In an unusual move, that number was bumped to seven as Microsoft threw in two last-minute Critical security bulletins related to Internet Explorer.

After months of consistent monthly updates for Internet Explorer, and an established pattern of producing a cumulative security update for IE at least every other month, it seemed odd that IE was absent from the initial batch of predicted security bulletins.

Tyler Reguly, manager of security research for Tripwire, states “The biggest discussion point with Microsoft’s patch drop this month is probably the change in bulletins. To go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute.

The addition of the two new critical updates changes the dynamic of this Patch Tuesday quite a bit. There were only two Critical and three Important security bulletins initially projected, and now that changes to four Critical and three Important.

“With more than 20 CVEs in this month’s IE update, there’s plenty of opportunities for drive-by downloads via watering hole attacks,” explains Craig Young, security researcher for Tripwire. “The range of problems fixed this month can be combined to gain complete administrative access by tricking a user into visiting a malicious site. Without any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today.”

It’s important to roll out both MS14-010 and MS14-011 as soon as possible stresses Marc Maiffret, CTO of BeyondTrust. The urgency surrounding the Critical update for Internet Explorer should be tempered with reasonable caution as well, though. Microsoft does an excellent job of testing and troubleshooting patches before release, but it’s not perfect. The fact that this was a last minute addition may lead to unforeseen issues if Microsoft rushed it in any way.

Internet Explorer is not the only thing on the radar this month, though. There are patches for an information disclosure vulnerability in XML Core Services, a denial of service flaw in IPv6, an elevation of privilege hole in .NET Framework, and vulnerabilities in Direct2D and Forefront Protection for Exchange that could allow remote code execution.

As always, you should review the security bulletins and Microsoft’s Exploitability Index to determine which updates apply to your environment, and how urgent it is to get the patch implemented. Regardless of priority, you should install all applicable patches as soon as possible.