Microsoft Patch Tuesday focuses on Internet Explorer

Microsoft has issued 29 patches for its Internet Explorer browser, including one fixing a critical vulnerability that would allow a remote attacker to gain access to a computer from over the Internet.

The patches are part of Microsoft’s monthly software update cycle, informally called Patch Tuesday.

[Microsoft fixes Internet Explorer flaw with out-of-band patch, XP included]

Overall, Microsoft addressed 41 vulnerabilities this month, including two critical ones that could be used for remote code execution.

Administrators should first look at MS14-051, a collection of 29 patches for Internet Explorer, said Wolfgang Kandek, chief technology officer for IT security firm Qualys. These vulnerabilities range across all currently supported versions of Internet Explorer, from IE6 to IE11.

The other critical vulnerability this month, addressed by MS14-048, is found in Microsoft’s OneNote note-taking software. The vulnerability is the worst kind — a bug that would allow a malicious user to gain control of a machine.

OneNote, which is part of Office, is not as widely used as Word, Excel and PowerPoint, so Microsoft and researchers have been playing down the severity of this bug, but an organization that has this application should patch it immediately, Kandek warned.

Other products patched this month include Windows, SharePoint and SQL Server. The SQL Server patch, addressed in MS14-044, is a rarity in that patches for the database server software don’t appear that often, Kandek said.

While administrators are in patching mode, they should also take a look at two sets of patches that Adobe issued Tuesday, for its Reader and Flash software.

In the past few weeks, Microsoft has taken additional measures to better secure IE. It has created blocking mechanisms to stop older, unsecured, ActiveX and Java applications from running when the browser is in Internet-mode. It provides a whitelist that organizations can use to run their legacy Web applications, however.

[Microsoft confirms Internet Explorer zero-day]

Microsoft also announced that, as of January 2016, it will stop supporting all but the latest versions of IE, a move to help the company better secure the browser by limiting the number of versions that are being run. Organizations that require a specific version of the browser for legal or compliance reasons can continue to run the software in a new “enterprise mode” of operation that Microsoft has added to the browser.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab’s e-mail address is Joab_Jackson@idg.com