The Patch Tuesday release contains four critical fixes, the most noteworthy of which is MS14-064. This relates to vulnerabilities in Microsoft Windows Object Linking and Embedding.
Microsoft was made aware of the problem last month and issued a quick fix at the time as criminals were using the exploit to infiltrate machines using modified PowerPoint files.
Microsoft’s full release says that Windows Vista, 7, RT, RT 8.1, 8 and 8.1 are all affected.
Furthermore, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 are also affected.
Microsoft said that those using Internet Explorer (IE) on these systems are most at risk from attackers.
“An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user,” Microsoft explained.
"If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
“Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The issue was found by Robert Freeman from the IBM X-Force security division. He explained in a blog post that Microsoft was first made aware of the issue in May this year. It had been present and exploitable for a staggering 18 years.
"The buggy code is at least 19 years old and has been remotely exploitable for the past 18 years," he said.
"Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript)."
He said the finding underlined the fact security vulnerabilities can always be uncovered in software and a keen eye is needed to spot them.
"In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32)."
The Patch Tuesday release also includes 17 fixes for various versions of IE, ranging in severity. The most serious of these could allow remote code execution if a user views a specially crafted webpage in IE.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” noted Microsoft.
The other critical fixes relate to the Microsoft Secure Channel security package and Microsoft XML Core Services 3.0.
The Patch Tuesday release for November also contains eight fixes rated 'important' and two related 'moderate'.
Microsoft will be hoping that the fixes do not cause problems themselves, as it had to pull last month's patch owing to errors in the release code.
No comments:
Post a Comment