iTnews

Microsoft patches five holes, nukes six certificates

By Dan Raywood on Sep 15, 2011 7:46AM
Microsoft patches five holes, nukes six certificates

Light updates hard on DigiNotar.

Microsoft released five bulletins rated as "important" yesterday – its lightest Patch Tuesday of the year.

Pete Voss, from Microsoft's Trustworthy Computing, said because nothing was rated as "critical", none of the patches were given a level one deployment priority.

However, Tyler Reguly, technical manager of security research and development at nCircle, said priority should be given to the Excel patch because Microsoft accidentally released the patches last Friday.

Qualys technology head Wolfgang Kandek said top priority should be given to MS11-072, which fixed an arbitrary code execution vulnerability in all versions of Excel.

“To exploit this issue, attackers could create malicious Excel files, which when opened on vulnerable hosts can take control of the system," he said.

"Priority should also be given to MS11-073, which fixes a code execution vulnerability in Microsoft Office versions 2003, 2007 and 2010, including Microsoft Word. Attackers could use a malicious word file (CVE-2011-1982) to execute code on victim machines.”

Vmware research and development head Jason Miller said vulnerability MS11-073 addressed an issue with Microsoft Office that would be difficult to exploit, and offered two attack scenarios.

"Scenario one: An attacker entices a user to open an Office file located in a directory with a malicious DLL (this scenario would most likely have an attacker already on a corporate network in order to plant the malicious DLL)."

“Scenario two: An attacker sends a malicious Office document and entices the user to save the file, and subsequently open the file in a directory that contains a malicious DLL. Both of these scenarios can be prevented if the Microsoft Office File Validation Add-in is installed. This feature was originally introduced in Microsoft Office 2010. Microsoft has since provided this defence-in-depth measure through an update.”

Kandek also highlighted bulletin MS11-070, which patches a DLL preloading issue that affects the deskpan.dll component in all versions of Windows.

“Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2). In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine. Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine. This could result in elevation of privilege,” said Miller.

Microsoft also banned six additional DigiNotar root certificates, cross-signed by Entrust and GTE.

nCircle security director Andrew Storms said Microsoft "anything and everything associated with DigiNotar is getting purged”.

Elsewhere, Skype has issued support for Windows 8, while Adobe released critical vulnerability patches for its Acrobat and Reader products.

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
adobecertificatesdigitnotarexploitsmicrosoftpatchingsecurityskypevulnerabilities

Partner Content

Tick off the ransomware bandits
Promoted Content Tick off the ransomware bandits
Teaching tech teams every step of implementing a machine learning project
Promoted Content Teaching tech teams every step of implementing a machine learning project
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Dan Raywood
Sep 15 2011
7:46AM
0 Comments

Related Articles

  • Microsoft pushes patch for exploited flaw in on-prem Exchange
  • Researchers find APT campaigns share known vulnerabilities
  • Microsoft security patches breaking authentication
  • Active Directory defaults lead to no-fix PrivEsc vulnerability
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

Westpac promotes its head of technology to mortgage role

Westpac promotes its head of technology to mortgage role

Digital Nation

As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.