Risk
2/12/2013
03:18 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

Microsoft Fixes 57 Bugs In Windows, Office, IE

Microsoft package of security fixes is one of the biggest updates ever; security professionals advise installing it immediately.

8 Cool Windows 8 Tablets For Home And Office
8 Cool Windows 8 Tablets For Home And Office
(click image for larger view and for slideshow)
Microsoft has released its Patch Tuesday bundle of security fixes for February, and it's a big one. Comprised of 12 separate bulletins that address 57 distinct vulnerabilities, the new package will be keeping IT admins busy with Redmond's biggest update since the company nixed 64 flaws in April 2011.

Microsoft has rated five of the patches as critical and the other seven as important. Each of the full dozen requires or is likely to require that machines be restarted, so passive deployments aren't an option. The release is notable not only its volume but also its breadth. Affected products include Windows XP, Vista, 7, 8 and RT, Internet Explorer versions 6-10, Office, .NET Framework, and Windows Server 2003, 2008 and 2012. Essentially, if a business uses Microsoft products that receive security updates, it probably needs to deploy the patches.

Among the critical alerts, two focus on Internet Explorer bugs that could allow an attacker to remotely take over computers whose owners have visited websites injected with malicious code. With versions 6-10 of the browser vulnerable, the flaw affects almost all Windows-equipped PCs and tablets, from aging workstations to Surface RTs. The third critical patch pertains to Windows XP and Vista as well as Windows Server. It involves a vulnerability that could give an attacker control if the user opens specially-crafted media files. The fourth of the red-alert updates applies to Microsoft Exchange and the fifth addresses a remote-execution vulnerability in Windows XP.

[ Will these bug fixes stop zombies? Read Zombie Alert Hoax: Emergency Broadcast System Hacked. ]

Users who have automatic updates enabled should already have received the critical updates. Users who don't have automatic updates installed will have to update manually. The seven patches that Microsoft rated as important require manual installation regardless of user settings. They pertain chiefly to privilege elevation and denial-of-service vulnerabilities in Windows but also include a .NET bug and a flaw in Microsoft FAST Search Server 2010 for SharePoint.

Now that Microsoft has released the updates and published summaries, security professionals will have a chance to compare the vulnerabilities to attack methods they've encountered. Many had already encouraged quick compliance, though, based purely on the scant patch summary contained in Microsoft's advance notification.

Graham Cluley, senior technology consultant at Sophos, wrote in a blog post that hackers will begin examining the patches immediately in hopes of snaring vulnerable computers whose owners are slow to update. "The longer you take to update the security patch on your computer, the greater potential risk you could find yourself in," he said, adding that enterprises should not spend excessive time testing the fixes before rolling them out.

"The worry is even worse for corporations -- many of whom are reluctant to automatically roll-out Microsoft security patches until they are confident that they don't cause conflicts," he wrote.

Andrew Storms, director of security operations at nCircle, suggested in in a blog post that the Internet Explorer updates could be particularly important because they are delivered as separate bulletins. He said that is "unusual" because Microsoft generally delivers Web browser patches in a single package. "The planned delivery of two separate Internet Explorer bulletins has my Spidey sense on alert," he wrote.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web