Microsoft Fixes Two Zero-Day FlawsMicrosoft Fixes Two Zero-Day Flaws
The company's April patch follows on the heels of an out-of-band patch two weeks ago.
April 13, 2010
Microsoft on Tuesday issued its April security patch, which includes 11 bulletins addressing 25 vulnerabilities.
Five of the bulletins are rated "critical," five are rated "important," and one is rated "moderate."
According to Wolfgang Kandek, CTO of Qualys, two of the bulletins -- MS10-020, an SMBv2 denial of service flaw, and MS10-022, a VBScript flaw -- close zero-day vulnerabilities.
Two weeks ago, Microsoft issued an emergency, or out-of-band, patch to address a different zero-day flaw in Internet Explorer.
Had Microsoft not done so, April's patch would have been one of the largest ever, with 12 bulletins and 35 vulnerabilities.
With so many zero-day flaws so close together, Kandek suggests we're approaching patch overload, which may make silent, automatic updating technology -- used in Google Chrome and being tested by Adobe -- more necessary.
"However this will require a change in the way we look and manage computers, as allowing programs to update individually moves control away from IT," he said in an e-mail. "Organizations will have to endorse and embrace that move for real impact."
He argues that Microsoft has shown that it has the flexibility to move fast when necessary, or to wait to deliver a more thoroughly tested fix. "They based that decision on what they were seeing in the field in terms of threats and exploits for the vulnerabilities covered," he said.
Microsoft recommends that customers deploy all its patches, but notes that MS10-019, MS10-026, and MS10-027 are the top priority bulletins for the month.
"MS10-019 addresses a flaw in the Windows Authenticode algorithm used to verify the authenticity of new software during the installation process," explains Kandek, who observes that while this vulnerability is considered difficult to exploit, it should still be patched promptly.
"The critical Microsoft WinVerifyTrust signature validation vulnerability can be used to really enhance social engineering efforts," said Joshua Talbot, security intelligence manage for Symantec Security Response, in an e-mailed statement. "Targeted attacks are popular and since social engineering plays such a large role in them, plan on seeing exploits developed for this vulnerability."
MS10-026 deals with a problem in the DirectShow software and MS10-027 fixes a Windows Media Player ActiveX control vulnerability. Both of the flaws addressed by these bulletins could lead to remote code execution.
Read more about:2010
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
Build a Case for a Password Manager