Microsoft delivers six patches

Powered by SC Magazine
 

"Critical" Windows kernel bug of most concern.

Microsoft has patched for 15 vulnerabilities with the distribution of six bulletins, one of which the software giant recommends administrators immediately apply.

That fix, MS09-065, corrects three vulnerabilities in Windows kernel-mode drivers. One of the flaws is considered "critical", but does not impact Vista or Server 2008.

The bug, however, can be exploited on Windows 2000, XP and Server 2003 machines to execute remote code if a user views content rendered in a maliciously-crafted Embedded OpenType font, used on web pages. Proof-of-concept code is already available to launch drive-by attacks, security researchers said yesterday. And, according to Microsoft, consistent exploit code is expected.

"We recommend customers prioritize and deploy this update immediately," Jerry Bryant, senior security program manager at Microsoft, wrote on the company's Security Response Center blog.

Ben Greenbaum, senior research manager at Symantec, agreed that the bulletin should be urgently deployed because the flaw is at the kernel level, meaning it does not matter with what privilege the user's machine is running.

"All that's required of a user to become infected by it is simply viewing a compromised web page," he said. "Symantec isn't seeing any active exploits of this in the wild yet, but we think attackers will be paying a lot of attention to it in the future."

Tuesday's update also includes two other "critical" bulletins, which address four vulnerabilities, and three "important" bulletins that take care of 10 bugs. One of those -- MS09-067 -- resolves eight flaws in Office that can lead to remote code execution if a user opens a specially-crafted Excel file.

Sheldon Malm, senior director of security strategy at Rapid7, a vulnerability management provider, called MS09-067 a "sleeper threat" because Microsoft considers it highly exploitable and because Excel is widely used.

Also, as part of the update, Microsoft re-released two patches: MS09-045 and MS09-051.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
NSW to build its own myGov
Service NSW digital profiles available by September.
 
Android bug leaves a billion phones open to attack
Hackers only need phone number to target devices.
 
Australia's leaders agree to end GST-free online goods
Gerry Harvey may finally get his way.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Windows 10 is here! (For some)
Jul 29, 2015
Delivery of the free upgrade versions of Windows 10 began today - have you got yours yet?
Microsoft reveals Microsoft Send, a new enterprise chat app to rival Slack
Jul 27, 2015
Microsoft Send is MSN Messenger for grownups, and you could be using it at work very soon
Developers offered $500,000 grants to find HoloLens uses
Jul 8, 2015
Can augmented-reality end up in business?
Microsoft Tossup: The planning app for unorganised groups of friends
Jul 8, 2015
App allows friends to research venues, vote on plans and chat. And depending on how you run your ...
Windows 10 drops 29 July... but only for some
Jul 6, 2015
If you've reserved your copy of Windows 10 and are keenly awaiting its 29 July release, don't ...
Latest Comments
Polls
Should law enforcement be able to buy and use exploits?



   |   View results
Yes
  13%
 
No
  51%
 
Only in special circumstances
  17%
 
Yes, but with more transparency
  19%
TOTAL VOTES: 714

Vote