Main Content   Site Accessibility
home
Sep 9
Patch Tuesday to fix four critical flaws in Windows, Internet Explorer and Office

microsoft office entranceMicrosoft released 14 patches on Patch Tuesday — with four of them rated as critical.

The software giant said in its latest advanced security bulletin that the most severe security flaws have been found in Microsoft Office, Windows, Internet Explorer and Windows Server.

In all, there are eight remote code execution flaws, which can allow hackers to gain access to, or take control of an affected system without user prompts or permission.

With half of all the patches applying to the company’s productivity suite — Office 2007 (Service Pack 3) and Office 2010 (Service Pack 1) are affected — users are advised to patch their systems as soon as possible. The latest Office 2013 release is not affected, however.

Another round of patches will fix flaws in Windows XP and Windows Server 2003, both of which are to be phased out of the company’s support cycles in April 2014.

Internet Explorer 6 on Windows XP through to Internet Explorer 10 on Windows 8 and RT-based devices face another round of patches. Server-based versions of Internet Explorer are rated “moderate,” but should still be patched sooner rather than later.

Source: ZDnet

Feb 11
Microsoft to release fixes for 57 security flaws

Patch Tuesday Microsoft will release 12 patches for 57 vulnerabilities this week for Windows, Internet Explorer, and Office.

A spattering of enterprise products, including Microsoft Office and Windows Server, and developer tools, such as .NET Framework, will also be patched.

Five of the updates are labeled “critical,” in which malicious code can be remotely executed on users’ machines. Another vulnerability that allows remote code execution is labeled “important.”

The company’s pre-release bulletin warns of two major vulnerabilities for Internet Explorer, which will patch a flaw allowing hackers to run remotely executed code on vulnerable machines. All versions from IE6 to IE10 are affected, including Windows RT-based Surface tablets, which will also need to be updated. With this in mind, users are advised to switch to another browser for the next few days until the updates are released.

Another critical update will address a flaw in Windows XP, Windows Vista, and Windows Server 2003—but does not affect later versions of the operating system, such as Windows 7 or Windows 8.

The fourth critical vulnerability patches Microsoft’s email server, Exchange, while the fifth critical vulnerability affects only Windows XP-based machines.

In other “important” updates, Microsoft will also patch SharePoint which could be subject to code injection attacks.

Aug 13
9 fixes in Microsoft’s August Patch Tuesday

microsoft entranceMicrosoft has announced that August’s Patch Tuesday will contain nine security bulletins, with some fixes rectifying vulnerabilities that allow attackers to install malware without permission.

The programs that are affected by the update are Windows, Internet Explorer, Microsoft Office, SQL Server, Microsoft Server, Microsoft Developer Tools and Microsoft Exchange.

According to Microsoft’s Security Bulletin Advance Notification, five of the patches are rated as “critical”. The bulletin will fix the vulnerabilities in the software that runs the risk of an attack from remote code execution.

The four bulletins that are given the “important” rating by Microsoft affect Windows and Office. Three of these fixes also focus on the remote execution problems, while one covers an elevation of privilege.

PC Advisor

Jun 13
Microsoft scrambles to patch 26 bugs

microsoft entranceMicrosoft on Tuesday patched 26 vulnerabilities, including one in Internet Explorer (IE) that’s already being exploited. The company also warned customers of a new zero-day attack and quashed yet another instance of a bug that the Duqu intelligence-gathering Trojan leveraged.

Microsoft also ditched one security update at the last minute and substituted another in its place, probably because the second was more serious.

Of Tuesday’s seven security updates, three were rated “critical,” Microsoft’s top-most threat ranking, while the other four were marked “important,” the next-most-serious label.

The 26 vulnerabilities – one more than Microsoft last week told users to expect – included 10 critical, 14 important and two judged “moderate” in the company’s four-step scoring system.

Microsoft also issued a new security advisory on Tuesday, admitting that a critical unpatched vulnerability in all versions of Windows – as well as in Office 2003 and Office 2007 – was being exploited by attackers who duped victims into visiting malicious websites. Until a patch is ready, customers should run the free “Fixit” tool Microsoft made to block attacks aimed at IE users.

Microsoft did not set a delivery date for a patch, but it wouldn’t be too surprising if it released an emergency update for Windows and Office before July 10, the next scheduled Patch Tuesday.

Source: PC Advisor

Dec 13
Microsoft plans a hefty Patch Tuesday Today

microsoft office entranceMicrosoft has issued its final Patch Tuesday release of 2011, with 14 bulletins, covering 20 vulnerabilities.

After a number of small releases, Microsoft has given IT departments an early Christmas present of three critical and 11 important bulletins.

The critical security holes affect Windows XP, Vista, and Windows 7, although only one affects the latter. Both Windows Server 2003 and 2008 are vulnerable, although the latter is only affected by one flaw.

“Five of the ‘important’ bulletins affect Office 2003, 2007 and 2010 including all Office versions for Macintosh as well,” explained Wolfgang Kandek, chief technology officer at Qualys, who described this month’s Patch Tuesday as “significant” in his blog post. “One of the remaining bulletins addresses Internet Explorer 6 through 9 and the remaining bulletins apply to all versions of Windows.”

A total of 10 could allow remote code execution, which will worry any IT departments wary of talented, malicious hackers.

Microsoft will release the bulletins on 13 December. To view the whole advisory, head to Microsoft’s Tech Net.

Source: IT Pro

Jul 13
Microsoft releases four security bulletins on Patch Tuesday

Windows UpdatesMicrosoft released four security bulletins for Patch Tuesday today, including one that fixes a critical hole related to Bluetooth in Windows 7 and Vista and three less serious patches that plug 21 holes affecting all supported versions of Windows and Visio 2003.

The highest priority is MS11-053, which fixes a vulnerability that could allow an attacker to take control of a computer by sending malicious Bluetooth wireless packets.

Jerry Bryant, group manager for security response at Microsoft, downplayed the possibility of exploitation in the wild, saying there are mitigating factors, including the fact that Bluetooth on a target device would have to be discoverable, which is not the default mode.

“So an attacker would have to be in line-of-sight of you and would have to brute force their way into discovering your (network) address, and that would be assuming you are actively advertising it for them,” he said in an interview. “There are tools out there to help an attacker do that, but they are expensive and take a long time to run. It’s a serious issue but I don’t think it will be something we see active exploits on in the near future.”

Marcus Carey, security researcher at Rapid7 noted that many people regularly rely on Bluetooth-enabled devices, or have Bluetooth set to “on” and don’t realize it. “This should concern users who have internal Bluetooth devices or people that use after-market Bluetooth headphones, mouses, keyboards, and printers through USB,” he said. “The problem with Bluetooth is that often people have their Bluetooth devices activated and are totally unaware that they are transmitting.”

Source: CNET

Jun 15
Microsoft and Adobe put out software fixes

microsoft office entranceMicrosoft released 16 security bulletins on Tuesday fixing a total of 34 holes, including critical holes in Windows, SMB Client and Internet Explorer.

Nine of Microsoft’s bulletins are rated “critical” and the remainder are rated “important.

There are four “critical-level” updates that Microsoft said in a blog post should be addressed first.

They are:

  • MS11-042, which fixes vulnerabilities in the distributed file system that affects all versions of Windows.
  • MS11-043, which closes a hole in SMB Client on Windows.
  • MS11-050, which is a cumulative bulletin resolving 11 bugs in Internet Explorer.
  • MS11-052, which fixes a vulnerability in the Microsoft implementation of Vector Markup Language and affects Windows and Internet Explorer 6, 7 and 8.

Affected software includes Windows XP, Vista, Windows 7, Windows Server 2003 and 2008, Office XP, 2003, 2007, 2010, Office 2004 and 2008 for Mac, SQL Server 2005 and 2008, Silverlight 4, Visual Studio 2005, 2008 and 2010, and Forefront Threat Management Gateway 2010 Client.

Microsoft also gave an update to a change it made in Windows in February. Disabling Autorun in order to make using USB thumb drives safer appears to be having an affect, Microsoft said. As of May, infections detected by the Malicious Software Removal Tool per scanned computer declined by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines compared with the 2010 infection rates on those platforms. (The updated Autorun settings were built in by default on Windows 7.)

Not to be left out of this patching frenzy Adobe’s quarterly security bulletins fixed a hole in Flash Player that was reportedly being targeted in attacks. It also produced fixes for it’s Shockwave Player and Adobe Reader and Adobe Acrobat.

Adobe said it will now offer users the opportunity to turn automatic update on by default.

Source CNET

Apr 8
Microsoft targets 64 holes in Patch Tuesday release

Microsoft will release 17 bulletins on Tuesday to fix 64 vulnerabilities across a swathe of products including Windows, Office and Internet Explorer, the company said in its Patch Tuesday preview.

Of the bulletins, nine are rated “critical” and eight are “important,” the company said in a TechNet blog post.

In addition to all versions of Windows; IE6, IE7, and IE8; numerous versions of Office for Windows and the Mac, affected software includes Visual Studio .NET and Visual C++, according to the advisory.

This release represents a large number of bulletins and vulnerabilities addressed at one time for Microsoft. The company issued 17 bulletins in December and plugged a record 49 holes in October.

“Microsoft is planning to release 17 bulletins and a whopping 64 CVEs (Common Vulnerabilities and Exposures) this month, a new CVE record,” said Andrew Storms, director of security for nCircle. “That seems like a huge number of bugs but it’s actually about what we expected. Ever since the middle of last year Microsoft’s bulletin releases generally hit double digits every other month.”

Source: ZDNet

Jan 12
Microsoft patches critical Windows bug but leaves flaws unfixed

Microsoft yesterday patched three vulnerabilities in Windows, including one that could be exploited by attackers who fool users into visiting a malicious website. The company also provided a new defensive measure to help users ward off ongoing attacks that are exploiting a known bug in Internet Explorer (IE).

The light load – just two security updates, or “bulletins” as Microsoft calls them – was announced last week, making for an easier beginning to the new year than the end of 2010, when in December the company shipped a record 17 updates that patched a near-record 40 bugs.

One of the updates was classified as ‘critical’ by Microsoft, the firm’s top threat ranking, while the other was marked as ‘important’, the second-most dangerous rating.

MS11-002 was the update that security researchers and Microsoft recommended users apply first. The update patched two vulnerabilities, one critical, the other important. “Attackers can exploit the critical vulnerability in MS11-002 by getting users to browse to a malicious website,” said Amol Sarwate, manager of Qualys’ vulnerabilities research labs. The tactic, usually called a “drive-by” attack, relies on enticing users to click a link that’s offered in a baited email. The bug is in the Microsoft Data Access Components (MDAC), a set of components that lets Windows access databases such as Microsoft’s own SQL Server. The flaw is in the MDAC ActiveX control that allows users to access databases from within IE.

Only users running IE are at risk from attacks exploiting the critical bug Microsoft disclosed in MS11-002, said Sarwate.

Microsoft also urged customers to apply MS11-002 first, noting that all client versions of Windows, including XP Service Pack 3 (SP3), Vista and Windows 7, were vulnerable. The server editions of the operating system are vulnerable as well, but for them Microsoft rated the threat as important, not critical.

The other update, dubbed MS11-001, is less important because it applies only to Windows Vista. The Backup Manager bug is one of several so-called “DLL load hijacking” or “binary planting” vulnerabilities in Windows.

In December, Microsoft said that the month’s five updates were the last DLL load hijacking bugs it knew about. “This fixes all of the [Windows] components that we’re aware of,” said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview on December 14. He left the door open to more, however. “We’re not closing that [DLL load hijacking] advisory just yet, and will continue to investigate,” Bryant said.

Also on Tuesday, Microsoft offered users an application “shim” that blocks in-the-wild attacks against IE that exploit a bug first disclosed last month.

Microsoft left several bugs unpatched today. In the last few weeks, the company has acknowledged a critical flaw in IE and serious vulnerabilities in Windows XP, Vista, Server 2003 and Server 2008, and confirmed reports that Chinese hackers were scouring the web for information on another IE flaw. The latter vulnerability was submitted to Microsoft last summer by Google security engineer Michal Zalewski. Microsoft and Zalewski have traded barbs over the timeline of his bug report, and subsequent release of a “fuzzer” tool that found the flaw.

Today’s security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Dec 15
Microsoft plugs 40 holes and plans Office security update

Microsoft has plugged 40 holes with 17 patches and said it will improve the security of Office 2003 and Office 2007 by adding a feature to the older versions of its productivity software that opens files in Protected View.

Customers should focus on the two critical bulletins that are part of Microsoft’s monthly Patch Tuesday security update, says Jerry Bryant, group manager for response communications in Microsoft’s Trustworthy Computing Group. The first is MS10-090, a cumulative update for Internet Explorer. It fixes seven vulnerabilities in the browser and affects IE 6, 7 and 8. There have been attacks targeting IE 6 on Windows XP, Bryant said.

The other critical bulletin is MS10-091, which fixes several vulnerabilities in the Windows Open Type Font driver. It affects all versions of Windows, primarily on third-party browsers that natively render the Open Type Font, which IE does not, according to Bryant.

Meanwhile, the company will be adding Office File Validation, which is currently in Office 2010, to Office 2003 and Office 2007 by the first quarter of 2011, Bryant said. This will be an optional update.

Source: ZDNet

Nov 10
Microsofts security updates – Patch Tuesday

Microsoft issued three security bulletins on Tuesday fixing 11 holes, including one rated ‘critical’ that could be used by an attacker to send a malicious email that is previewed only or opened by default in Word.

The priority update, MS10-087, resolves five issues affecting all currently supported Microsoft Office products. The bulletin is rated ‘critical’ for Office 2007 and Office 2010 “due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file”, a Microsoft Security Response Center blog post said. Outlook is not directly affected, however, because the vulnerabilities can only be exploited through Microsoft Word.

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious email to be infected,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “All that is required is for the content of the email to appear in Outlook’s reading pane. If a user highlights a malicious email to preview it in the reading pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the reading pane by default and the computer will be infected.”

That update also addresses an Office vector for a vulnerability referred to as “DLL Preloading” or “Binary planting” related to the way Windows handles dynamic-link library files and which plagued numerous applications recently and led to attacks in the wild.

The second update is labeled MS10-088. It resolves two holes in Microsoft PowerPoint that could allow remote code execution if a user opens a malicious PowerPoint file.

And finally, there is MS10-089, which plugs four holes in Unified Access Gateway, a component of Microsoft Forefront. The most significant of the vulnerabilities could allow elevation of privilege if a user clicks on a malicious link on a Web site. This update is offered through the Microsoft Download Center online and is not available through Microsoft Update at this moment in time.

Oct 8
Microsoft to patch a record 49 security holes

microsoft entranceMicrosoft will fix a record 49 vulnerabilities in its Patch Tuesday release next week, as it announces 16 security bulletins affecting Windows, Internet Explorer, Office and the .Net framework.

Four of the bulletins carry a ‘critical’ rating, 10 are rated ‘important’, and two are ‘moderate’, according to the advisory. They affect specifically Windows XP, Vista, Windows 7, Windows Server 2003 and 2008, Microsoft Office XP Service Pack 3, Office 2003 Service Pack 3, Office 2007 Service Pack 2, Office 2010, Office 2004 for Mac and 2008 for Mac, Windows SharePoint Services 3.0, SharePoint Server 2007, Groove Server 2010 and Office Web Apps.

Microsoft did not indicate whether two unpatched Windows holes that are being exploited by the Stuxnet worm will be fixed next week. Microsoft previously patched two other zero-day vulnerabilities in Windows the worm was using and said during last month’s Patch Tuesday release that two more holes being used by Stuxnet needed to be plugged. Stuxnet spreads through Windows vulnerabilities but was designed to target industrial control and critical infrastructure systems running Siemens software.

This is the highest number of vulnerabilities fixed in one Patch Tuesday release; the previous record was 34 holes fixed in August. This Patch Tuesday announcement also marks the first time Microsoft Word 2010 has been included in an advisory.

The 49 vulnerabilities are due to be patched on 12 October.

Source: ZDNet

Sep 15
Microsoft patched 13 holes in Windows, IIS and Office

microsoft entranceMicrosoft issued nine bulletins fixing 13 vulnerabilities on Patch Tuesday (14 Sept) that affected Windows, Internet Information Services and Microsoft Office.

Affected software included Windows XP, Vista and Windows 7, Windows Server 2003 and 2008; and Office XP, 2003 and 2007, with the older versions affected by critical bulletins, according to the security advisory.

One notable fix was for the security hole being used by the Stuxnet worm to infect PC’s. This patched a vulnerability in the print spooler service of Windows that could allow an attacker to take control of a computer by sending a specially crafted print request to a vulnerable system where the print spooler service is exposed without authentication.

Prior to the huge patch, Don Leatham, senior director of solutions and strategy at Lumension said “Organisations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them. Organisations stuck on Windows XP and Server 2003 need to take a hard look at the cost and risk factors associated with staying on these dated platforms.”

Source: CNET

Jun 9
Microsoft issues a huge Patch Tuesday update

microsoft entranceMicrosoft issued three critical security bulletins on Tuesday (8th June), plugging 10 holes that could allow an attacker to remotely take control of a Windows computer via a malicious media file or streaming content, or malicious Web content viewed through Internet Explorer.

Overall, this Patch Tuesday release involves 10 bulletins fixing 34 vulnerabilities affecting all supported versions of Windows, Office XP, Office 2003 and 2007 Microsoft Office System, Office 2004 and 2008 for Mac, Excel Viewer, and Sharepoint Services 3.0.

Also plugged are holes in the Windows Kernel-Mode Drivers ; the COM (Component Object Model) Validation in Office; the OpenType Compact Font Format Driver; Excel, Internet Information Services and Microsoft .NET Framework.

“This is the largest Microsoft patch release of 2010 and ties the record for the most vulnerabilities ever addressed in a single month; a record set in October of last year,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “This month’s release also features the largest ever single bulletin, with 14 vulnerabilities in Excel being addressed together.”

Source: CNET

Feb 10
Microsoft patches 26 Windows and Office holes

microsoft_entranceMicrosoft has fixed 26 vulnerabilities in 13 security bulletins as part of its Patch Tuesday, including critical ones for Windows that could be exploited to take control of a computer and one that has resided in the 32-bit Windows kernel since its release 17 years ago.

The top priorities for deployment are bulletins plugging holes in the SMB (Server Message Block) Protocol, Windows Shell Handler, ActiveX via Internet Explorer, DirectShow and the 32-bit version of Windows, Jerry Bryant, a lead senior security communications manager at Microsoft, wrote in a blog post.

The DirectShow bulletin should be at the top of the list, according to Bryant. It is critical for all supported versions of Windows except Itanium-based server products. To exploit the hole, an attacker could host a malicious AVI (Audio Video Interleave) file on a website, and lure a user to visit the site or send the file via email so the user could open it.

Source: ZDNet

   

XHTML CSS    Copyright © QBS Web Design 2007/2014   Powered by Fast2Host Professional Hosting    Legal Stuff     Top of Page