Risk
2/12/2013
03:18 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Fixes 57 Bugs In Windows, Office, IE

Microsoft package of security fixes is one of the biggest updates ever; security professionals advise installing it immediately.

8 Cool Windows 8 Tablets For Home And Office
8 Cool Windows 8 Tablets For Home And Office
(click image for larger view and for slideshow)
Microsoft has released its Patch Tuesday bundle of security fixes for February, and it's a big one. Comprised of 12 separate bulletins that address 57 distinct vulnerabilities, the new package will be keeping IT admins busy with Redmond's biggest update since the company nixed 64 flaws in April 2011.

Microsoft has rated five of the patches as critical and the other seven as important. Each of the full dozen requires or is likely to require that machines be restarted, so passive deployments aren't an option. The release is notable not only its volume but also its breadth. Affected products include Windows XP, Vista, 7, 8 and RT, Internet Explorer versions 6-10, Office, .NET Framework, and Windows Server 2003, 2008 and 2012. Essentially, if a business uses Microsoft products that receive security updates, it probably needs to deploy the patches.

Among the critical alerts, two focus on Internet Explorer bugs that could allow an attacker to remotely take over computers whose owners have visited websites injected with malicious code. With versions 6-10 of the browser vulnerable, the flaw affects almost all Windows-equipped PCs and tablets, from aging workstations to Surface RTs. The third critical patch pertains to Windows XP and Vista as well as Windows Server. It involves a vulnerability that could give an attacker control if the user opens specially-crafted media files. The fourth of the red-alert updates applies to Microsoft Exchange and the fifth addresses a remote-execution vulnerability in Windows XP.

[ Will these bug fixes stop zombies? Read Zombie Alert Hoax: Emergency Broadcast System Hacked. ]

Users who have automatic updates enabled should already have received the critical updates. Users who don't have automatic updates installed will have to update manually. The seven patches that Microsoft rated as important require manual installation regardless of user settings. They pertain chiefly to privilege elevation and denial-of-service vulnerabilities in Windows but also include a .NET bug and a flaw in Microsoft FAST Search Server 2010 for SharePoint.

Now that Microsoft has released the updates and published summaries, security professionals will have a chance to compare the vulnerabilities to attack methods they've encountered. Many had already encouraged quick compliance, though, based purely on the scant patch summary contained in Microsoft's advance notification.

Graham Cluley, senior technology consultant at Sophos, wrote in a blog post that hackers will begin examining the patches immediately in hopes of snaring vulnerable computers whose owners are slow to update. "The longer you take to update the security patch on your computer, the greater potential risk you could find yourself in," he said, adding that enterprises should not spend excessive time testing the fixes before rolling them out.

"The worry is even worse for corporations -- many of whom are reluctant to automatically roll-out Microsoft security patches until they are confident that they don't cause conflicts," he wrote.

Andrew Storms, director of security operations at nCircle, suggested in in a blog post that the Internet Explorer updates could be particularly important because they are delivered as separate bulletins. He said that is "unusual" because Microsoft generally delivers Web browser patches in a single package. "The planned delivery of two separate Internet Explorer bulletins has my Spidey sense on alert," he wrote.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?