Risk
2/12/2013
03:18 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Fixes 57 Bugs In Windows, Office, IE

Microsoft package of security fixes is one of the biggest updates ever; security professionals advise installing it immediately.

8 Cool Windows 8 Tablets For Home And Office
8 Cool Windows 8 Tablets For Home And Office
(click image for larger view and for slideshow)
Microsoft has released its Patch Tuesday bundle of security fixes for February, and it's a big one. Comprised of 12 separate bulletins that address 57 distinct vulnerabilities, the new package will be keeping IT admins busy with Redmond's biggest update since the company nixed 64 flaws in April 2011.

Microsoft has rated five of the patches as critical and the other seven as important. Each of the full dozen requires or is likely to require that machines be restarted, so passive deployments aren't an option. The release is notable not only its volume but also its breadth. Affected products include Windows XP, Vista, 7, 8 and RT, Internet Explorer versions 6-10, Office, .NET Framework, and Windows Server 2003, 2008 and 2012. Essentially, if a business uses Microsoft products that receive security updates, it probably needs to deploy the patches.

Among the critical alerts, two focus on Internet Explorer bugs that could allow an attacker to remotely take over computers whose owners have visited websites injected with malicious code. With versions 6-10 of the browser vulnerable, the flaw affects almost all Windows-equipped PCs and tablets, from aging workstations to Surface RTs. The third critical patch pertains to Windows XP and Vista as well as Windows Server. It involves a vulnerability that could give an attacker control if the user opens specially-crafted media files. The fourth of the red-alert updates applies to Microsoft Exchange and the fifth addresses a remote-execution vulnerability in Windows XP.

[ Will these bug fixes stop zombies? Read Zombie Alert Hoax: Emergency Broadcast System Hacked. ]

Users who have automatic updates enabled should already have received the critical updates. Users who don't have automatic updates installed will have to update manually. The seven patches that Microsoft rated as important require manual installation regardless of user settings. They pertain chiefly to privilege elevation and denial-of-service vulnerabilities in Windows but also include a .NET bug and a flaw in Microsoft FAST Search Server 2010 for SharePoint.

Now that Microsoft has released the updates and published summaries, security professionals will have a chance to compare the vulnerabilities to attack methods they've encountered. Many had already encouraged quick compliance, though, based purely on the scant patch summary contained in Microsoft's advance notification.

Graham Cluley, senior technology consultant at Sophos, wrote in a blog post that hackers will begin examining the patches immediately in hopes of snaring vulnerable computers whose owners are slow to update. "The longer you take to update the security patch on your computer, the greater potential risk you could find yourself in," he said, adding that enterprises should not spend excessive time testing the fixes before rolling them out.

"The worry is even worse for corporations -- many of whom are reluctant to automatically roll-out Microsoft security patches until they are confident that they don't cause conflicts," he wrote.

Andrew Storms, director of security operations at nCircle, suggested in in a blog post that the Internet Explorer updates could be particularly important because they are delivered as separate bulletins. He said that is "unusual" because Microsoft generally delivers Web browser patches in a single package. "The planned delivery of two separate Internet Explorer bulletins has my Spidey sense on alert," he wrote.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?