Yesterday, Microsoft issued 13 security bulletins covering some 47 bugs in a slightly-larger-than-usual Patch Tuesday. Among these, four were listed as critical and the rest marked as important. Get ready to update!
Interestingly, a fourteenth update relating to a denial-of-service issue in .NET was announced last week but has been held back for further testing. Perhaps Microsoft wishes to avoid some of the confusion from last month's patch Tuesday, where one update had to be pulled after release.
Internet Explorer and Social Engineering
Microsoft addressed ten vulnerabilities with a cumulative update to Internet Explorer, affecting versions six through 10. This means that just about everyone will be touched by these changes, which is for the best as some of these bugs allowed remote code execution.
"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," wrote Microsoft. "An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user." This is another great argument for never using an account with administrator priveleges for day-to-day work.
Microsoft Word and Excel will see updates addressing a file format vulnerability, where a specially crafted Office file could be used to execute code on a victim's computer. "Microsoft only rates these vulnerabilities as 'important' because they require the target to cooperate," writes Qualy's CTO Wolfgang Kandek. "However, attackers have proven time and again that they have the necessary social engineering techniques to overcome that obstacle with ease."
In fact, the reports we've seen put social engineering at the top of the major threats against users, as are tainted files like those addressed with these Office updates. These files are incredibly dangerous because they look legitimate, and we've seen how they've been used to great effect in advanced persistent threat attacks .
Outlook and Others
The popular 2007 and 2010 versions of Microsoft Outlook were also patched this month, fixing a particularly nasty vulnerability. "An attacker can exploit the certificate parsing algorithm by signing an e-mail and nesting over 256 certificates in the signature," explained Kandek. "The attack causes a buffer overflow, even if just visualized in Outlook's preview pane."
Though Microsoft says the outlook attack is difficult to pull off, it's dangerous since the victim doesn't have to do anything in order for the attack to succeed.
In addition to these, Microsoft released critical patches for Sharepoint 2003, 2007, 2010 and 2013, as well as Microsoft Visio. The patches labeled important cover OLE, Windows theme files, Microsoft Access, Office IME Chinese, Kernal-Mode drivers, Windows Service Control Manager, FrontPage, and Active Directory.
No comments:
Post a Comment