Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Microsoft Reveals New Holes

Juniper revs the marketing machinery as three new Windows vulnerabilities emerge

Microsoft today revealed details on three new security vulnerabilities in its Windows environment, and users and vendors are scrambling to patch up the holes.

The software giant rated two of the vulnerabilities as "critical": One flaw could allow attackers to execute code remotely via Microsoft Exchange (MS Security Bulletin MS06-019); and a vulnerability in Adobe's Macromedia Flash Player could let outsiders run remote code (MS06-020).

The third threat, which Microsoft rated as "moderate," could allow an attacker to send a specially crafted message that would stop Microsoft's Distributed Transaction Coordinator (MSDTC) from operating, paving the way for a denial-of-service attack (MS06-018.

All three security bulletins can be found here. Microsoft has issued software updates for all three.

As Microsoft scrambled to issue the patches, security vendors stepped forward to offer their own solutions to the vulnerabilities. Most, such as Symantec, issued advisories as usual, but Juniper Networks turned it into a marketing opportunity, telling users its security products had already solved the problem.

Juniper issued a statement to the effect that users of its Juniper Intrusion Detection and Prevention product are safe from the three new threats, even if they haven't installed the patches.

Advisories help users limit the damage caused by newly discovered Windows flaws, but Juniper's approach to the security bulletins represents a type of response that is "becoming vastly more successful'" says Rob Enderle, CEO of the Enderle Group consultancy.

"Juniper basically says, 'If you are using our security solution, you are protected,' " Enderle observed. That may prove a welcome bit of hope to users under constant threat; but the vendor has to deliver more than just words. "This idea that a vendor that has your back should -- if the solutions will hold up to the promise -- result in greater sales for the vendors who demonstrate it."

Enterprises that don't have Juniper's technology can still respond quickly to the problems by applying the three software updates, but the software deployment process often takes time, and leaves a window open for attackers who might exploit the vulnerabilities in the near term.

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this story

  • Enderle Group
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
    Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
    Palo Alto Networks to Buy CloudGenix for $420M
    Dark Reading Staff 3/31/2020
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 4/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11580
    PUBLISHED: 2020-04-06
    An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, accepts an arbitrary SSL certificate.
    CVE-2020-11581
    PUBLISHED: 2020-04-06
    An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shel...
    CVE-2020-11582
    PUBLISHED: 2020-04-06
    An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTT...
    CVE-2020-11585
    PUBLISHED: 2020-04-06
    There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a messag...
    CVE-2020-5832
    PUBLISHED: 2020-04-06
    Symantec Data Center Security Manager Component, prior to 6.8.2 (aka 6.8 MP2), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected ...