Risk
2/12/2013
03:18 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Fixes 57 Bugs In Windows, Office, IE

Microsoft package of security fixes is one of the biggest updates ever; security professionals advise installing it immediately.

8 Cool Windows 8 Tablets For Home And Office
8 Cool Windows 8 Tablets For Home And Office
(click image for larger view and for slideshow)
Microsoft has released its Patch Tuesday bundle of security fixes for February, and it's a big one. Comprised of 12 separate bulletins that address 57 distinct vulnerabilities, the new package will be keeping IT admins busy with Redmond's biggest update since the company nixed 64 flaws in April 2011.

Microsoft has rated five of the patches as critical and the other seven as important. Each of the full dozen requires or is likely to require that machines be restarted, so passive deployments aren't an option. The release is notable not only its volume but also its breadth. Affected products include Windows XP, Vista, 7, 8 and RT, Internet Explorer versions 6-10, Office, .NET Framework, and Windows Server 2003, 2008 and 2012. Essentially, if a business uses Microsoft products that receive security updates, it probably needs to deploy the patches.

Among the critical alerts, two focus on Internet Explorer bugs that could allow an attacker to remotely take over computers whose owners have visited websites injected with malicious code. With versions 6-10 of the browser vulnerable, the flaw affects almost all Windows-equipped PCs and tablets, from aging workstations to Surface RTs. The third critical patch pertains to Windows XP and Vista as well as Windows Server. It involves a vulnerability that could give an attacker control if the user opens specially-crafted media files. The fourth of the red-alert updates applies to Microsoft Exchange and the fifth addresses a remote-execution vulnerability in Windows XP.

[ Will these bug fixes stop zombies? Read Zombie Alert Hoax: Emergency Broadcast System Hacked. ]

Users who have automatic updates enabled should already have received the critical updates. Users who don't have automatic updates installed will have to update manually. The seven patches that Microsoft rated as important require manual installation regardless of user settings. They pertain chiefly to privilege elevation and denial-of-service vulnerabilities in Windows but also include a .NET bug and a flaw in Microsoft FAST Search Server 2010 for SharePoint.

Now that Microsoft has released the updates and published summaries, security professionals will have a chance to compare the vulnerabilities to attack methods they've encountered. Many had already encouraged quick compliance, though, based purely on the scant patch summary contained in Microsoft's advance notification.

Graham Cluley, senior technology consultant at Sophos, wrote in a blog post that hackers will begin examining the patches immediately in hopes of snaring vulnerable computers whose owners are slow to update. "The longer you take to update the security patch on your computer, the greater potential risk you could find yourself in," he said, adding that enterprises should not spend excessive time testing the fixes before rolling them out.

"The worry is even worse for corporations -- many of whom are reluctant to automatically roll-out Microsoft security patches until they are confident that they don't cause conflicts," he wrote.

Andrew Storms, director of security operations at nCircle, suggested in in a blog post that the Internet Explorer updates could be particularly important because they are delivered as separate bulletins. He said that is "unusual" because Microsoft generally delivers Web browser patches in a single package. "The planned delivery of two separate Internet Explorer bulletins has my Spidey sense on alert," he wrote.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report