03:18 PM
Connect Directly

Microsoft Fixes 57 Bugs In Windows, Office, IE

Microsoft package of security fixes is one of the biggest updates ever; security professionals advise installing it immediately.

8 Cool Windows 8 Tablets For Home And Office
8 Cool Windows 8 Tablets For Home And Office
(click image for larger view and for slideshow)
Microsoft has released its Patch Tuesday bundle of security fixes for February, and it's a big one. Comprised of 12 separate bulletins that address 57 distinct vulnerabilities, the new package will be keeping IT admins busy with Redmond's biggest update since the company nixed 64 flaws in April 2011.

Microsoft has rated five of the patches as critical and the other seven as important. Each of the full dozen requires or is likely to require that machines be restarted, so passive deployments aren't an option. The release is notable not only its volume but also its breadth. Affected products include Windows XP, Vista, 7, 8 and RT, Internet Explorer versions 6-10, Office, .NET Framework, and Windows Server 2003, 2008 and 2012. Essentially, if a business uses Microsoft products that receive security updates, it probably needs to deploy the patches.

Among the critical alerts, two focus on Internet Explorer bugs that could allow an attacker to remotely take over computers whose owners have visited websites injected with malicious code. With versions 6-10 of the browser vulnerable, the flaw affects almost all Windows-equipped PCs and tablets, from aging workstations to Surface RTs. The third critical patch pertains to Windows XP and Vista as well as Windows Server. It involves a vulnerability that could give an attacker control if the user opens specially-crafted media files. The fourth of the red-alert updates applies to Microsoft Exchange and the fifth addresses a remote-execution vulnerability in Windows XP.

[ Will these bug fixes stop zombies? Read Zombie Alert Hoax: Emergency Broadcast System Hacked. ]

Users who have automatic updates enabled should already have received the critical updates. Users who don't have automatic updates installed will have to update manually. The seven patches that Microsoft rated as important require manual installation regardless of user settings. They pertain chiefly to privilege elevation and denial-of-service vulnerabilities in Windows but also include a .NET bug and a flaw in Microsoft FAST Search Server 2010 for SharePoint.

Now that Microsoft has released the updates and published summaries, security professionals will have a chance to compare the vulnerabilities to attack methods they've encountered. Many had already encouraged quick compliance, though, based purely on the scant patch summary contained in Microsoft's advance notification.

Graham Cluley, senior technology consultant at Sophos, wrote in a blog post that hackers will begin examining the patches immediately in hopes of snaring vulnerable computers whose owners are slow to update. "The longer you take to update the security patch on your computer, the greater potential risk you could find yourself in," he said, adding that enterprises should not spend excessive time testing the fixes before rolling them out.

"The worry is even worse for corporations -- many of whom are reluctant to automatically roll-out Microsoft security patches until they are confident that they don't cause conflicts," he wrote.

Andrew Storms, director of security operations at nCircle, suggested in in a blog post that the Internet Explorer updates could be particularly important because they are delivered as separate bulletins. He said that is "unusual" because Microsoft generally delivers Web browser patches in a single package. "The planned delivery of two separate Internet Explorer bulletins has my Spidey sense on alert," he wrote.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-02
Buffer overflow in Canary Labs Trend Web Server before 9.5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet.

Published: 2015-10-02
Cisco NX-OS 6.0(2)U6(0.46) on N3K devices allows remote authenticated users to cause a denial of service (temporary SNMP outage) via an SNMP request for an OID that does not exist, aka Bug ID CSCuw36684.

Published: 2015-10-02
Cisco Email Security Appliance (ESA) 8.5.6-106 and 9.6.0-042 allows remote authenticated users to cause a denial of service (file-descriptor consumption and device reload) via crafted HTTP requests, aka Bug ID CSCuw32211.

Published: 2015-10-01
lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.

Published: 2015-10-01
kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.