Microsoft Blocks Zero-Day Attacks Targeting IE, Office

Security updates patch bugs being exploited via in-the-wild attacks, except for Windows XP, which now becomes a sitting duck.

so only users who have already logged in to your SharePoint server can mount an attack," said Paul Ducklin, head of technology at Sophos, in a blog post.

Adobe patches critical Reader, Acrobat, Flash flaws
Also on Tuesday, Adobe released patches for 18 flaws in its products. The security fixes affect Adobe Reader and Acrobat, Flash Player, Adobe Illustrator (CS6), and Adobe AIR running on Windows and Mac OS X systems, as well as the Linux version of its Flash Player. Adobe also updated its Flash Player plug-in for the IE10, IE11, and Google Chrome browsers to fix security problems.

All of the flaws, except the Illustrator update, have been rated at maximum severity, because they could be exploited by attackers to remotely compromise Windows, Mac, or Linux systems.

Adobe's IE plug-in updates also led Microsoft to revise a security warning it first issued in September 2012, detailing how attackers could create malicious websites to exploit a particular Flash Player flaw via drive-by attacks. Microsoft said that anyone who uses Flash Player must update, regardless of which browser they regularly use, since attackers could still trigger the IE flaws. "Other applications, such as Microsoft Office 2007 and Microsoft Office 2010, can invoke Adobe Flash Player in Internet Explorer," the company warned.

Accordingly, Microsoft urged anyone using Flash Player for IE10 (on Windows 8, Windows Server 2012, or Windows RT) or IE11 (for Windows 8.1, Windows Server 2012 R2 or Windows RT 8.1) to update their Adobe plug-in immediately.

Windows XP users now vulnerable
May is the final month that Adobe will release patches that work with Windows XP. Meanwhile, although Microsoft released an emergency IE fix May 1 that works with XP, Tuesday's batch of patches don't work with the XP, thus making it official that the operating system is no longer supported.

"Windows XP will not be receiving any security updates today," said Microsoft's Childs Tuesday in a blog post. "For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe, and now is a great time to make that move."

Microsoft, of course, has been sounding that drum for some time, and many businesses have adopted more modern versions of Windows. "Fortunately, the XP user base continues to shrink," Qualys CTO Kandek said, noting that the XP enterprise install base appears to have dropped to about 8%.

{image 1}

That's good, because from an information security standpoint, Windows XP users are sitting ducks, owing to hackers now being able to reverse-engineer flaws patched by Microsoft, then target those bugs in unpatchable XP systems. "The majority of the vulnerabilities addressed in the [Tuesday] updates probably affect Windows XP/Office 2003 ... but only users who have Microsoft's extended support agreement can get the patches," said Kandek.

Attackers' job will be made easier by Microsoft continuing to patch Windows Server 2003, which shares a substantial amount of code with XP. Accordingly, Kandek said, "We can assume that any vulnerability ... for Windows Server 2003 is applicable to XP as well." For this month alone, that means six newly patched flaws -- including the IE patch, ASLR fix, Group Profile patch, and Office updates, as well as the Adobe Reader and Flash fixes -- could be used by attackers to target XP systems.

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading