Vulnerabilities / Threats
7/27/2009
04:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Plans Emergency Patch Tuesday

Two out-of-band security bulletins will be issued tomorrow to fix a critical flaw in Internet Explorer and a related issue in Visual Studio. Microsoft is withholding details until the patches are released.

Microsoft late Friday said it would issue two security bulletins on Tuesday, July 28, outside of its regular monthly patch cycle. The company typically releases "out-of-band" bulletins to address vulnerabilities that demand immediate attention.

In a statement, Mike Reavey, director of the Microsoft Security Response Center, provided few particulars other than saying the two bulletins -- one affecting Visual Studio and one affecting Internet Explorer -- will address a single, overall issue. "While we can't go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications," he said. "The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin."

He said that the Internet Explorer bulletin will address "critical" issues in Internet Explorer unrelated to the Visual Studio vulnerability.

He also said that Microsoft customers who have the most current security updates are protected from known attacks related to the vulnerabilities addressed by the two emergency bulletins.

A substantial portion of Microsoft customers are nonetheless likely to have vulnerable software. In mid-2008, according to Google, 45.2% of Internet users visiting the search site weren't using the most up-to-date version of their browser.

Out-of-band patches are unusual but certainly not unheard of. Last December, Microsoft released an out-of-band security update, MS08-078, to fix a vulnerability in Internet Explorer.

The company also released an out-of-band update last October, MS08-067, to fix a problem with Windows Server that could, and did, allow a malicious worm to spread: The vulnerability was subsequently exploited by the Conficker/Downadup worm because Microsoft users didn't patch quickly enough.

InformationWeek Analytics and DarkReading.com have published an independent analysis of security outsourcing. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-7194
Published: 2014-11-20
TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access.

CVE-2014-7195
Published: 2014-11-20
Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6.0.2 and 6.5.x before 6.5.2, Spotfire Deployment Kit 6.0.x before 6.0.2 and 6.5.x before 6.5.2, and Silver Fabric Enabler for Spotfire Web Player before 1.6.1 allows remote authenticated users to obtain sensitive information via u...

CVE-2014-8000
Published: 2014-11-20
Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?