Microsoft patches five holes, nukes six certificates

Powered by SC Magazine
 

Light updates hard on DigiNotar.

Microsoft released five bulletins rated as "important" yesterday – its lightest Patch Tuesday of the year.

Pete Voss, from Microsoft's Trustworthy Computing, said because nothing was rated as "critical", none of the patches were given a level one deployment priority.

However, Tyler Reguly, technical manager of security research and development at nCircle, said priority should be given to the Excel patch because Microsoft accidentally released the patches last Friday.

Qualys technology head Wolfgang Kandek said top priority should be given to MS11-072, which fixed an arbitrary code execution vulnerability in all versions of Excel.

“To exploit this issue, attackers could create malicious Excel files, which when opened on vulnerable hosts can take control of the system," he said.

"Priority should also be given to MS11-073, which fixes a code execution vulnerability in Microsoft Office versions 2003, 2007 and 2010, including Microsoft Word. Attackers could use a malicious word file (CVE-2011-1982) to execute code on victim machines.”

Vmware research and development head Jason Miller said vulnerability MS11-073 addressed an issue with Microsoft Office that would be difficult to exploit, and offered two attack scenarios.

"Scenario one: An attacker entices a user to open an Office file located in a directory with a malicious DLL (this scenario would most likely have an attacker already on a corporate network in order to plant the malicious DLL)."

“Scenario two: An attacker sends a malicious Office document and entices the user to save the file, and subsequently open the file in a directory that contains a malicious DLL. Both of these scenarios can be prevented if the Microsoft Office File Validation Add-in is installed. This feature was originally introduced in Microsoft Office 2010. Microsoft has since provided this defence-in-depth measure through an update.”

Kandek also highlighted bulletin MS11-070, which patches a DLL preloading issue that affects the deskpan.dll component in all versions of Windows.

“Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2). In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine. Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine. This could result in elevation of privilege,” said Miller.

Microsoft also banned six additional DigiNotar root certificates, cross-signed by Entrust and GTE.

nCircle security director Andrew Storms said Microsoft "anything and everything associated with DigiNotar is getting purged”.

Elsewhere, Skype has issued support for Windows 8, while Adobe released critical vulnerability patches for its Acrobat and Reader products.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Microsoft patches five holes, nukes six certificates
 
 
 
Top Stories
 
IAG hands digital chief his own ‘Labs’ division
Enterprise ops chief squeezed out in restructure.
 
End of IT shared services experiment looms for SA govt
Centralised tech trickles to a halt.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
The 5 Windows 10 privacy issues you should be aware of
Jul 31, 2015
There are a few unsettling details when it comes to Windows 10 privacy
Windows 10 is here! (For some)
Jul 29, 2015
Delivery of the free upgrade versions of Windows 10 began today - have you got yours yet?
Microsoft reveals Microsoft Send, a new enterprise chat app to rival Slack
Jul 27, 2015
Microsoft Send is MSN Messenger for grownups, and you could be using it at work very soon
Developers offered $500,000 grants to find HoloLens uses
Jul 8, 2015
Can augmented-reality end up in business?
Microsoft Tossup: The planning app for unorganised groups of friends
Jul 8, 2015
App allows friends to research venues, vote on plans and chat. And depending on how you run your ...
Latest Comments
Polls
Should law enforcement be able to buy and use exploits?



   |   View results
Yes
  14%
 
No
  51%
 
Only in special circumstances
  17%
 
Yes, but with more transparency
  18%
TOTAL VOTES: 786

Vote