Risk

12/10/2010
11:36 AM
50%
50%

Microsoft To Patch 40 Vulnerabilities Tuesday

Security update will close the last known Stuxnet vulnerability, but won't address a zero-day bug reported Thursday in Internet Explorer.

Microsoft Internet Explorer 9 Beta Revealed
Slideshow: Microsoft Internet Explorer 9 Beta Revealed
(click image for larger view and for full slideshow)
On Thursday, Microsoft announced that this Patch Tuesday it will release fixes for 40 separate flaws in Microsoft Windows, Office, Internet Explorer (IE), SharePoint, and Exchange. All told, there will be 17 individual security bulletins, with two rating as critical.

One of the forthcoming patches will close the last remaining vulnerability being exploited by Stuxnet. According to a blog post by Mike Reavey, director of Microsoft Security Response Center, "this is a local elevation of privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware."

Microsoft is also patching a bug in IE that's currently being exploited by attackers, though Reavey rates the number of related exploits as being "pretty low," and notes that "customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP)."

Expect enterprises to punt many of these patches until 2011. "The high number of advisories will present a challenge to all Windows system administrators, especially with the holidays shortening the available working hours," said Wolfgang Kandek, CTO of Qualys.

December's Patch Tuesday brings the total number of security bulletins Microsoft released in 2010 to 106 -- the highest number yet. "This isn't really surprising when you think about product lifecycles and the nature of vulnerability research," said Reavey, highlighting both the fact that Microsoft supports products for 10 years, as well as ongoing improvements in vulnerability research, meaning that researchers are finding more bugs. On that note, he said that 80% of Microsoft product vulnerabilities are "reported to us cooperatively," meaning that Microsoft has a heads-up before knowledge of the bug goes public.

One new bug, however, won't make the count. On Thursday, IT security research firm Vupen disclosed a new, zero-day vulnerability in Internet Explorer 6, 7, and 8. Vupen rates the vulnerability as critical, because attackers could use it to comprise a system. According to its security advisory, the issue stems from "a use-after-free error within the 'mshtml.dll' library when processing a web page referencing a CSS (cascading style sheets) file that includes various '@import' rules, which could allow remote attackers to execute arbitrary code via a specially crafted Web page."

The bug will not be addressed by the forthcoming Patch Tuesday.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.