Microsoft pushes nine fixes for 16 flaws

Powered by SC Magazine
 

Gaping Core XML Services hole fixed.

Microsoft on Tuesday issued nine security bulletins to address three "critical" and six "important" security issues.

The patches righted 16 flaws in Windows, Internet Explorer, Office, SharePoint, and Visual Basic for Applications.

Yunsun Wee of Microsoft Trustworthy Computing recommended organisations prioritise patching the three critical updates first, which includes a fix for the zero-day vulnerability in Microsoft Core XML Services (MSXML) that was disclosed in early June. Attackers have been targeting the vulnerability already, and exploit code has been added to the BlackHole malware toolkit and to the Metasploit penetration testing framework.

"[Bulletin] MS12-046 has the fix that IT folks have been waiting a month for," Marc Maiffret, CTO of identity management company BeyondTrust, told SCMagazine.com.

However, the update applies to only MSXML versions 3, 4, and 6. The fix for MSXML 5 is expected at a later date as the Microsoft team has not yet finished testing the patch, so organisations running Office 2003 and 2007, Office Word Viewer, Expression Web Edition, Office SharePoint Server 2007, and Groove Server 2007 are left unprotected, Maiffret said.

Since MSXML 5 is not on the pre-approved ActiveX controls list, users should see a big warning when browsing to a site that tries to load the MSXML 5 ActiveX control so they would notice when they are being targeted, he said.

Microsoft issued a Fix-It document shortly after disclosing the flaw, which outlined some mitigation activities organizations can apply while waiting for the patch. Organizations with version 5 should implement the Fix-It if they haven't already done so, Maiffret said.

Meanwhile, the cumulative update for Internet Explorer 9 addresses two critical vulnerabilities and should be applied immediately. 

"Both can be triggered through a malicious web page, and both allow the attacker remote code execution, [meaning] full control of the targeted machine," said Wolfgang Kandek, CTO of vulnerability management firm Qualys. Microsoft assigned an Exploitability Index rating of 1 to these bugs, which means the company believes attackers would be able to easily reverse engineer the patch and develop an exploit within 30 days.

The third critical bulletin is an update for the Microsoft Data Access Component (MDAC) in Microsoft Windows. The most likely attack vector is through the web browser, Kaspersky Lab's Kurt Baumgartner said. This flaw is "reminiscent" of an older MDAC vulnerability which was added to several popular exploit toolkits and is still seen in attacks, Baumgartner said. 

Maiffret agreed. "This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner than later given it affects most OSs and is a straight forward to exploit."

Along with the patches, Microsoft also issued two security advisories. The first described changes in how the software giant will handle certificates and the upcoming certificate management tool for recent versions of Windows.

RSA certificates with fewer than a 1,024-bit key length will be considered insecure by default, according to the advisory. The new certificate management tool will allow Microsoft to react more rapidly to certificate problems, such as the one that enabled the Flame virus to spread.

The second advisory offers users a tool to disable "Gadgets" in Windows Vista and 7 as support is being discontinued by Microsoft. Gadgets will not exist in Windows 8.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft pushes nine fixes for 16 flaws
 
 
 
Top Stories
Australia's godfather of agile
Few technology leaders have seen the forces of digital disruption so repeatedly and at such close quarters than Nigel Dalton, CIO of the REA Group.
 
Photos: Innovation sprouts up among the lettuces
Inside the 21st Century farms managed from a smartphone.
 
Slow progress in Turnbullistan
[Blog post] How has the NBN moved ahead since regime change?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Have customers that won't pay debts?
Jul 10, 2014
The ACCC and ASIC have updated their advice when it comes to collecting debts.
Carpet cleaner faces court over online testimonials
Jul 4, 2014
The ACCC has initiated proceedings against A Whistle (1979) Pty Ltd, the franchisor of Electrodry...
You can now get 15GB of free online storage using Microsoft OneDrive
Jun 25, 2014
Cloud storage has reached both the capacity and price where it's a viable alternative to local ...
Another clever trick you can perform with Xero
Jun 25, 2014
Here is another way to reach out to particular subsets of your customers using Xero.
Have a phone, tablet and laptop?
Jun 20, 2014
This new Telstra pre-paid 4G mobile hotspot might be useful if you regularly need to use fast ...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  24%
 
Application integration concerns
  3%
 
Security and compliance concerns
  31%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  24%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 572

Vote