August Patch Tuesday Improves Internet Explorer's Security and Features
In their latest Patch Tuesday, Microsoft issued 9 bulletins covering a total of 37 common vulnerabilities and exposures (CVE) spread across some of their products. This release contains two bulletins marked as critical, MS14-043 and MS14-051. The first relates to a Windows Media Center vulnerability while the last involves Internet Explorer (considered the most important because of the amount and seriousness of CVEs fixed). The remaining seven bulletins are associated to Microsoft Office, SQL server, Windows Server and .Net framework. Each had an "Important" rating from Microsoft and leaves users open to a mix of remote code execution, elevation of privilege and security bypass exploits.
The update for Internet Explorer provides the fixes for 26 CVEs as well as feature improvements. The majority of vulnerabilities concerns to memory corruption issues. The most severe of these could allow for arbitrary remote code execution if a user views a specially crafted Web page. Microsoft said in the security bulletin that: "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.".
While Microsoft fixed important security flaws some improvements were also included for Internet Explorer 11. Starting with the F12 Developer Tools there was some substantial changes in the user interface, console, DOM explorer, debugger, emulation tool, UI responsiveness and memory profiling tools. The WebGL renderer was updated with support for ANGLE_instanced_arrays, OES_element_index_uint and WEBGL_debug_renderer_info extensions, the failIfMajorPerformanceCaveat context creation attribute, 16-bit textures, more GLSL conformance, and line loop and triangle fan primitives. According to Microsoft this update boosts Khronos WebGL Conformance Test 1.0.3 from 89.9% to 96.8%.
This cumulative update also introduced an out-of-date ActiveX control blocking and the WebDriver standard which Web developers can use to take advantage of tests automation that mimics real user actions. There were some changes in the browser's engine and Microsoft will soon release a separate package to enable the execution of WebDriver scripts.
Ralph Winzinger Nov 25, 2014