Microsoft delivers six patches

By on

"Critical" Windows kernel bug of most concern.

Microsoft has patched for 15 vulnerabilities with the distribution of six bulletins, one of which the software giant recommends administrators immediately apply.

That fix, MS09-065, corrects three vulnerabilities in Windows kernel-mode drivers. One of the flaws is considered "critical", but does not impact Vista or Server 2008.

The bug, however, can be exploited on Windows 2000, XP and Server 2003 machines to execute remote code if a user views content rendered in a maliciously-crafted Embedded OpenType font, used on web pages. Proof-of-concept code is already available to launch drive-by attacks, security researchers said yesterday. And, according to Microsoft, consistent exploit code is expected.

"We recommend customers prioritize and deploy this update immediately," Jerry Bryant, senior security program manager at Microsoft, wrote on the company's Security Response Center blog.

Ben Greenbaum, senior research manager at Symantec, agreed that the bulletin should be urgently deployed because the flaw is at the kernel level, meaning it does not matter with what privilege the user's machine is running.

"All that's required of a user to become infected by it is simply viewing a compromised web page," he said. "Symantec isn't seeing any active exploits of this in the wild yet, but we think attackers will be paying a lot of attention to it in the future."

Tuesday's update also includes two other "critical" bulletins, which address four vulnerabilities, and three "important" bulletins that take care of 10 bugs. One of those -- MS09-067 -- resolves eight flaws in Office that can lead to remote code execution if a user opens a specially-crafted Excel file.

Sheldon Malm, senior director of security strategy at Rapid7, a vulnerability management provider, called MS09-067 a "sleeper threat" because Microsoft considers it highly exploitable and because Excel is widely used.

Also, as part of the update, Microsoft re-released two patches: MS09-045 and MS09-051.

See original article on scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
fixes flaws microsoft patch patches security tuesday vulnerability windows
In Partnership With

Most Read Articles

Google ordered to reveal identity of anonymous reviewer

Google ordered to reveal identity of anonymous reviewer
NBN Co sees 250Mbps take-up rise after price cut

NBN Co sees 250Mbps take-up rise after price cut
ANZ and CBA push for consolidation of EFTPOS, BPAY and NPP

ANZ and CBA push for consolidation of EFTPOS, BPAY and NPP
Aussie Broadband lets customers 'kick' own connection

Aussie Broadband lets customers 'kick' own connection
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Driving business innovation through private cloud solutions
Driving business innovation through private cloud solutions
Future proofing your datacentre with hyperconverged infrastructure
Future proofing your datacentre with hyperconverged infrastructure
The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)
The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)
Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here

Events

Log In

Username / Email:
Password:
  |  Forgot your password?