Patch Tuesday a staggering 17 security bulletins (nine of which have been given Microsoft’s highest severity rating of “critical”), addressing 64 security vulnerabilities. Software including bugs which are said to be fixed by the patches include Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio and .NET Framework.
One of the vulnerabilities reportedly fixed will be the MHTML redering flaw that was discovered earlier this year. Internet Explorer was one the products found to be at risk from the zero-day vulnerability that could allow maliciously crafted webpages to execute code in any “zone” regardless of which zone is specified.
Bulletin Summary Bulletin ID Maximum Severity Rating Vulnerability Impact Restart Requirement Affected Software* Bulletin 1 Critical Remote Code Execution Requires restart Internet Explorer on Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 2 Critical Remote Code Execution Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 3 Critical Remote Code Execution Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 4 Critical Remote Code Execution May require restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 5 Critical Remote Code Execution May require restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 6 Critical Remote Code Execution May require restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Office XP. Bulletin 7 Critical Remote Code Execution Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 8 Critical Remote Code Execution May require restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 9 Critical Remote Code Execution Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 10 Important Remote Code Execution May require restart Microsoft Excel 2002, Excel 2003, Excel 2007, Excel 2010, Office 2004 for Mac, Office 2008 for Mac, Office for Mac 2011, Open XML File Format Converter for Mac, Excel Viewer, and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. Bulletin 11 Important Remote Code Execution May require restart Microsoft PowerPoint 2002, PowerPoint 2003, PowerPoint 2007; PowerPoint 2010, Office 2004 for Mac, Office 2008 for Mac, Office for Mac 2011, Open XML File Format Converter for Mac, PowerPoint Viewer, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and PowerPoint Web App. Bulletin 12 Important Remote Code Execution May require restart Microsoft Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac. Bulletin 13 Important Remote Code Execution May require restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 14 Important Remote Code Execution May require restart Microsoft Visual Studio .NET 2003, Visual Studio 2005, Visual Studio 2008, Visual Studio 2010, Visual C++ 2005 SP1 Redistributable Package, Visual C++ 2008 Sp1 Redistributable Package, and Visual C++ 2010 Redistributable Package. Bulletin 15 Important Information Disclosure Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Bulletin 16 Important Remote Code Execution May require restart Microsoft Windows XP and Windows Server 2003. Bulletin 17 Important Elevation of Privilege Requires restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. * The list of affected software in the summary table is an abstract. To see the full list of affected components please click on the “Advance Notification Webpage” link below and review the “Affected Software” section. Further information on the patches can be found in the advance notice that Microsoft has published on its website.
Category Archives: Security Best Practices
Microsoft Patchday ahead
The Redmond company today announced that it plans to release 12 security bulletins on the upcoming Patch Tuesday. The according updates close 22 security holes within the Windows operating systems, Internet Explorer and Microsoft Office. Of those, 3 bulletins cope with critical rated vulnerabilities and the rest are rated important. Be prepared to test and roll out the updates as soon as possible! 5 of the bulletins deal with vulnerabilities which allow attackers to remotely execute code on affected computers.
According to a blog post in Microsoft’s Security Response Center, the February Patchday updates will fix the MHTML processing vulnerability as well as the thumbnail rendering security hole.
Microsoft to Patch 13 Security Holes in Windows, Office
Microsoft is planning another busy Patch Tuesday this month – with nine bulletins that tackle a total of 13 vulnerabilities ready for delivery next Tuesday (14 September).
According to the Microsoft Office bulletins will cover security holes in Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2007. It is likely these will include fixes for the DLL load hijacking attack vector that affects hundreds of Windows applications.
Seven of the nine bulletins address flaws that could lead to “remote code execution” attacks so it’s important for affected Windows users to pay close attention to this patch batch.
Password Best Practices Are Not Being Encouraged
There has been a steady flow of academic studies into the insecurity of the username/password authentication system (a number of which we’ve covered at Ars) that suggest it’s doomed to failure: humans have a limited memory capacity for unique strings of random characters, which is precisely what most experts recommend as a secure password.
Check out the article – [Ars Technica]
Check out the study [weis2010.econinfosec.org]
Microsoft Patch Tuesday for June 2010
Microsoft is lining up a bumper load of 10 security bulletins covering 34 vulnerabilities for June’s Patch Tuesday release. Three of the 10 bulletins, due on 8 June, cover critical flaws, normally defined as security holes that might allow an attacker to take full control of the targeted machine. The other seven notices fall in the lesser category of important and deal with bugs in Windows and Office.
The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already, explained Wolfgang Kandek, CTO of Qualys
Check out the article – [The Register]
Recognizing Fraudulent Web Addresses
Recognizing Fraudulent Web Addresses
We all know that we should never click on links that are received in e-mails that we were not expecting or that come from someone we do not know. The same rule applies to links we encounter on blogs, discussion boards or social networking sites. However, sometimes we may want extra assurance that a link is not legitimate. Understanding the anatomy of a web address can help you spot fraudulent links. Imagine the address below is your bank’s web address that you see printed on the top of each monthly statement:
http://www.yourfavoritebank.com/lgo
Look between the http:// or https:// and the next / to determine the web address
Phishers and scammers may try tricks such as:
- Misspelling the web address.
For example, they may create a web site with the address http://www.yourfavoritbank.com/ hoping that you won’t notice the missing “e” at the end of “favorite.”
- Creating a long address that includes the real web address.
For example, they may create a web site with the address http://www.mnopq.com/yourfavoritebank.com hoping that you won’t notice that you are visiting the site mnopq.com.
- Using a plausible, but not legitimate web address.
For example, they may create a web site with the address http://www.yourfavoritebank-securitycenter.net/ hoping that you won’t verify the actual address of Your Favorite Bank.
When in doubt – don’t click that link. When accessing sites that are commonly spoofed in phishing messages, like bank or social networking sites, access the site by typing in the address from memory or from the address you’ve received on official correspondence (ex. your monthly statement) or use your “Favorites” list.
MS Security Patches for December
Microsoft has issued a Security Bulletin Advance Notification indicating that its December release cycle will contain six bulletins, three of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows, Microsoft Office, and Internet Explorer. There will also be three important bulletins for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, December 8.
Source [US-CERT]