Microsoft patches five holes, nukes six certificates

Powered by SC Magazine
 

Light updates hard on DigiNotar.

Microsoft released five bulletins rated as "important" yesterday – its lightest Patch Tuesday of the year.

Pete Voss, from Microsoft's Trustworthy Computing, said because nothing was rated as "critical", none of the patches were given a level one deployment priority.

However, Tyler Reguly, technical manager of security research and development at nCircle, said priority should be given to the Excel patch because Microsoft accidentally released the patches last Friday.

Qualys technology head Wolfgang Kandek said top priority should be given to MS11-072, which fixed an arbitrary code execution vulnerability in all versions of Excel.

“To exploit this issue, attackers could create malicious Excel files, which when opened on vulnerable hosts can take control of the system," he said.

"Priority should also be given to MS11-073, which fixes a code execution vulnerability in Microsoft Office versions 2003, 2007 and 2010, including Microsoft Word. Attackers could use a malicious word file (CVE-2011-1982) to execute code on victim machines.”

Vmware research and development head Jason Miller said vulnerability MS11-073 addressed an issue with Microsoft Office that would be difficult to exploit, and offered two attack scenarios.

"Scenario one: An attacker entices a user to open an Office file located in a directory with a malicious DLL (this scenario would most likely have an attacker already on a corporate network in order to plant the malicious DLL)."

“Scenario two: An attacker sends a malicious Office document and entices the user to save the file, and subsequently open the file in a directory that contains a malicious DLL. Both of these scenarios can be prevented if the Microsoft Office File Validation Add-in is installed. This feature was originally introduced in Microsoft Office 2010. Microsoft has since provided this defence-in-depth measure through an update.”

Kandek also highlighted bulletin MS11-070, which patches a DLL preloading issue that affects the deskpan.dll component in all versions of Windows.

“Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2). In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine. Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine. This could result in elevation of privilege,” said Miller.

Microsoft also banned six additional DigiNotar root certificates, cross-signed by Entrust and GTE.

nCircle security director Andrew Storms said Microsoft "anything and everything associated with DigiNotar is getting purged”.

Elsewhere, Skype has issued support for Windows 8, while Adobe released critical vulnerability patches for its Acrobat and Reader products.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Microsoft patches five holes, nukes six certificates
 
 
 
Top Stories
Australia's digital crescendo
Barely unpacked from his move from Amsterdam, Southern Cross Austereo's new digital boss Vijay Solanki is looking for Australia's untapped potential.
 
Turnbull nabs UK govt digital guru as DTO chief
Inaugural CEO to lead change agenda.
 
NBN to offer TV connections through fibre for greenfields
Ditching aerials to come at a cost.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Windows 10 drops 29 July... but only for some
Jul 6, 2015
If you've reserved your copy of Windows 10 and are keenly awaiting its 29 July release, don't ...
Xerocon is heading to Melbourne!
Jul 1, 2015
We're not saying Xero is our FAVOURITE or anything, but Xero's 2015 Xerocon conference is being ...
New Microsoft Office apps for Android phones
Jun 26, 2015
Microsoft's latest Office apps for Android now work on phones as well as tablets, further ...
Windows 10 UK price revealed, but don't believe everything you hear
Jun 26, 2015
Windows 10 £99 price tag for users in the UK (who presumably don't already have Win 7 Pro ...
Now Xero notifies iOS users of new transactions
Jun 24, 2015
The latest version of Xero's iPhone app includes notifications when new transactions arrive from ...
Latest Comments
Polls
Is site blocking effective in stopping piracy?


   |   View results
Yes
  2%
 
No
  86%
 
Somewhat
  12%
TOTAL VOTES: 806

Vote