Risk
7/9/2013
09:09 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Patch Tuesday Fixes Six Critical Bugs

Microsoft issues patches for an unusual number of critical vulnerabilities that encompass the company's entire software ecosystem.

10 Hidden Benefits of Windows 8.1
10 Hidden Benefits of Windows 8.1
(click image for larger view)
Microsoft has been focusing on Windows 8 lately, but there are numerous versions of Windows in use and the company can't ignore them. On Tuesday, Microsoft will release an unusually high number of critical patches for almost all of them.

July's Patch Tuesday includes fixes for six critical flaws, all of which involve remote execution bugs that could allow attackers to take control of a user's machine. The affected platforms and software includes not only all currently-supported versions of Windows, but also all Internet Explorer versions from IE 6 onward, as well as Office, Lync, Visual Studio, Silverlightand Microsoft's .NET framework. If you use any Microsoft product from the last several years, in other words, you probably need at least some of the patches.

Two of the critical exploits require that machines be restarted. Some versions of Windows are more vulnerable than others without a given patch, meaning that some of the updates designated as "critical" overall are downgraded for specific platforms. Nonetheless, all versions of Windows are afflicted by multiple high-priority exploits.

[ Microsoft is moving more quickly to fix problems. Read Microsoft Releases First Windows 8.1 Fixes. ]

Microsoft has also prepared a seventh patch, which it classified as "important." It addresses a vulnerability in Windows Defender, the platform's pre-installed security software.

The large batch of critical fixes has raised eyebrows in the security community. In a blog post, Paul Ducklin, head of technology at security vendor Sophos, advised businesses to get their "operational ducks in a row," adding that the patches are unusually broad. Windows Server Core, for example, is usually excluded from Patch Tuesdays because its stripped-down feature set offers a "significantly reduced attack surface area." It's therefore notable that July's updates include a Windows Server Core 2012 reboot, Ducklin wrote.

Paul Henry, a security and forensic analyst at security tools firm Lumension, similarly told The Guardian that this month's patches constitute "one of the uglier releases we've seen from Microsoft this year." Graham Cluley, a senior technology consultant with Sophos, channeled the hacker vernacular to describe the threat, warning in a blog post to "patch before you're pwned."

IT managers, in short, should be on alert.

The updates are expected to address a somewhat controversial exploit reported in June by Google researcher Tavis Ormandy. Ormandy discovered a zero-day vulnerability linked to the kernel for all editions of Windows from Windows 2000 to the present. The Google researcher, who had previously criticized Microsoft as "difficult to work with" reported the bug privately but waited only a few days before publishing his findings online.

Some security professionals have cried foul, arguing that Ormandy's public disclosure was unethical because it left Microsoft too little time to develop a fix and, in effect, gave malware authors a dangerous head start.

Security firm Secunia determined that the bug is only semi-urgent. Still, the firm noted that attackers could use the vulnerability to gain escalated privileges, or to hijack a machine for a denial-of-service attack. Tod Beardsley, a security researcher with Metasploit, noted in a blog, however, that this sort of local exploit provides a foundation for more damaging attacks.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.