Microsoft preps 16 patches, one for cookiejacking

By on
Microsoft preps 16 patches, one for cookiejacking

Microsoft plays down risk of cookiejacking.

Microsoft is prepping 16 patches to fix 34 vulnerabilities across its product line to be delivered Tuesday.

The patches will mend issues in Windows, Office, Internet Explorer, .NET Framework, SQL Server, Visual Studios, Silverlight and ISA Server.

Nine of the bulletins are rated "critical," while the remaining seven carry an "important" designation. The update touches all versions of Windows, Excel and Internet Explorer.

Two patches for Internet Explorer are among the more notable fixes. One will address an issue known as "cookiejacking," which involves an attacker accessing a cookie to steal access credentials.

Italian security researcher Rosario Valotta disclosed the vulnerability late last month and said that it could be used to steal usernames and passwords used to login to popular sites such as Facebook and Twitter.

For users to be exploited, they must be tricked into dragging an object across their screen and dropping it into an "attacker controlled HTML element," a type of clickjacking tactic sometimes employed by hackers.

But Microsoft Trustworthy Computing senior communications manager Angela Gunn played down the likelihood of exploits.

"Given the prevalence of other types of social engineering methods in use by criminals, which provide access to much more than cookies, we believe this issue poses lower risk to customers," she wrote on a blog.

Tuesday will be a busy day for IT administrators, as Adobe also is planning updates to its Reader and Acrobat products. These come as part of a quarterly release cycle.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?