Vulnerabilities / Threats // Vulnerability Management
5/14/2014
10:55 AM
50%
50%

Microsoft Blocks Zero-Day Attacks Targeting IE, Office

Security updates patch bugs being exploited via in-the-wild attacks, except for Windows XP, which now becomes a sitting duck.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Microsoft has released a slew of security updates, including fixing two sets of vulnerabilities that are being actively exploited by in-the-wild attacks. But for the first time ever, Windows XP holdouts didn't receive any related security updates.

Microsoft published eight security bulletins Tuesday -- as part of its regularly scheduled monthly patch release cycle -- including fixes for 13 different vulnerabilities in Windows, Internet Explorer, Office, SharePoint Server, Group Policy preferences, as well as the .NET Framework and iSCSI.

Microsoft's cumulative IE security update includes a fix for an "out-of-band" patch that it originally released May 1, to patch a critical IE bug (CVE-2014-1776) that Google's security team found was being actively exploited by attackers to remotely execute arbitrary code. In a surprise twist, Microsoft had released the patch for Windows XP, which it officially stopped supporting last month.

Microsoft also issued a fix for a new critical IE bug Tuesday, saying that it was aware of limited, targeted attacks that attempt to exploit this vulnerability.

[Should government investigators be given expanded powers to battle cybercriminals? Read FBI Seeks License To Hack Bot-Invested PCs.]

Wolfgang Kandek, CTO of Qualys, described the patch in a blog post as "another surgical fix" similar to the May 1 patch. He noted that anyone who has yet to install the May 1 patch -- aside from XP users -- can install Microsoft's May 13 update instead, because it includes the fix.

Microsoft said that most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically.

According to Dustin C. Childs, group manager for incident response communications at Microsoft's Trustworthy Computing Group, the IE update should top the list of enterprise patching priorities, followed by installing fixes a vulnerability in the MSCOMCTL common controls library included in Office -- which Microsoft said is also being actively exploited by in-the-wild attacks -- and a Group Policy preferences flaw.

Kandek concurred with that patch prioritization assessment, noting that the MSCOMCTL fix comes in the form of a new DLL that has ASLR set, an easy fix for the developers to implement (basically a recompile), but one that took extensive testing as this DLL is widely used. Thanks to ASLR -- address space layout randomization -- the update will also better block future attacks. Meanwhile, Kandek added, the Group Policy patch prevents the storage of credentials in Group Policies, where they are relatively easily accessed by hackers and pen testers alike.

CrowdStrike CTO Dmitri Alperovitch, via Twitter, lauded the latter fix. "Very good security update from Microsoft today that disables a number of password dumping tools including Mimikatz," he said.

Rounding up other security updates, any business that uses SharePoint should also prioritize a related patch from Microsoft, Kandek advised, especially if you expose SharePoint to the Internet. That's because the patch fixes a flaw that would allow a remote attacker to upload files to SharePoint and trigger remote-code execution, thus allowing the attacker to take control of the server.

"The silver lining is that this is what's known as an authenticated vulnerability,

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:06:20 PM
Microsoft Blocks Zero-Day Attacks Targeting IE, Office
Maybe I am wrong but aren't most vulnerabilities found by someone other than the one who developed it. Seems a little QA would be in order. Microsoft has a history of fixing things that are wrong with their software but it would be nice if they found one themselves. Thoughts?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.