Microsoft patches five holes, nukes six certificates

Powered by SC Magazine
 

Light updates hard on DigiNotar.

Microsoft released five bulletins rated as "important" yesterday – its lightest Patch Tuesday of the year.

Pete Voss, from Microsoft's Trustworthy Computing, said because nothing was rated as "critical", none of the patches were given a level one deployment priority.

However, Tyler Reguly, technical manager of security research and development at nCircle, said priority should be given to the Excel patch because Microsoft accidentally released the patches last Friday.

Qualys technology head Wolfgang Kandek said top priority should be given to MS11-072, which fixed an arbitrary code execution vulnerability in all versions of Excel.

“To exploit this issue, attackers could create malicious Excel files, which when opened on vulnerable hosts can take control of the system," he said.

"Priority should also be given to MS11-073, which fixes a code execution vulnerability in Microsoft Office versions 2003, 2007 and 2010, including Microsoft Word. Attackers could use a malicious word file (CVE-2011-1982) to execute code on victim machines.”

Vmware research and development head Jason Miller said vulnerability MS11-073 addressed an issue with Microsoft Office that would be difficult to exploit, and offered two attack scenarios.

"Scenario one: An attacker entices a user to open an Office file located in a directory with a malicious DLL (this scenario would most likely have an attacker already on a corporate network in order to plant the malicious DLL)."

“Scenario two: An attacker sends a malicious Office document and entices the user to save the file, and subsequently open the file in a directory that contains a malicious DLL. Both of these scenarios can be prevented if the Microsoft Office File Validation Add-in is installed. This feature was originally introduced in Microsoft Office 2010. Microsoft has since provided this defence-in-depth measure through an update.”

Kandek also highlighted bulletin MS11-070, which patches a DLL preloading issue that affects the deskpan.dll component in all versions of Windows.

“Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2). In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine. Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine. This could result in elevation of privilege,” said Miller.

Microsoft also banned six additional DigiNotar root certificates, cross-signed by Entrust and GTE.

nCircle security director Andrew Storms said Microsoft "anything and everything associated with DigiNotar is getting purged”.

Elsewhere, Skype has issued support for Windows 8, while Adobe released critical vulnerability patches for its Acrobat and Reader products.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Microsoft patches five holes, nukes six certificates
 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Five emerging technologies that will transform financial services
[Blog post] Far out ideas that aren't far off.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Pass on carbon tax savings, warns ACCC
Jul 24, 2014
The ACCC is warning businesses that supply "regulated goods" to pass on any cost savings ...
Have customers that won't pay debts?
Jul 10, 2014
The ACCC and ASIC have updated their advice when it comes to collecting debts.
Carpet cleaner faces court over online testimonials
Jul 4, 2014
The ACCC has initiated proceedings against A Whistle (1979) Pty Ltd, the franchisor of Electrodry...
You can now get 15GB of free online storage using Microsoft OneDrive
Jun 25, 2014
Cloud storage has reached both the capacity and price where it's a viable alternative to local ...
Another clever trick you can perform with Xero
Jun 25, 2014
Here is another way to reach out to particular subsets of your customers using Xero.
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  27%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  23%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 928

Vote