Microsoft to unveil eight bulletins on Tuesday
Posted on 04 October 2013.
October is turning out to be a busy month for patches. Next week is Patch Tuesday, and both Adobe and Microsoft have published their advance notices, with one and eight bulletins respectively. In addition, on October 15th we are getting the Critical Patch Update from Oracle, which will include a new version for Oracle enterprise software, plus a new version of Java 7.


This month also marks the 10-year anniversary of the Patch Tuesday program, which Microsoft started in October of 2003. Over the past decade, it has become a model implementation of a patch program in both outreach to vulnerability submitters and predictability for IT administrators, who have been dealing with the increasing number of patches for their computer infrastructures. The team at Microsoft is professional and a pleasure to work with when we have implementation questions or need background information on mitigation possibilities.

Nevertheless, Microsoft has had a turbulent two weeks since their security advisory KB2887507, which detailed CVE-2013-3893, a 0-day vulnerability in Internet Explorer that was being used for targeted attacks in Asia. Since then, we have seen research that links the exploit to malware as early as August. There also have been reports of the exploit starting to be used in a more widespread manner by other cybercriminal groups, and its release as a Metasploit module just this week. A workaround (Fix-It) has been available since September 17.

But this situation is now resolved: Bulletin #1 is for Internet Explorer and addresses the recent 0-day. This is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites.

Bulletin #2, #3 and #4 are all critical and address flaws in the Windows operating systems starting at Windows XP and including Windows 8 and Windows RT.

Bulletins #6 and #7 address important vulnerabilities in Microsoft Excel and Microsoft Word. Both seem to be file-format vulnerabilities that provide remote code execution when a file is opened. They should be high on your list of patches as attackers frequently use these vulnerabilities in attachments to well written e-mails that often get opened by the addressed parties.

Bulletin #5 addresses an important vulnerability in Windows Sharepoint Server and will be important, especially if you expose Sharepoint on the Internet.

Bulletin #8 addresses an information disclosure vulnerability in SIlverlight and is the least urgent of the eight patches.

Adobe is releasing a new version of Adobe Reader XI and Acrobat XI running under Windows that addresses a critical vulnerability. As far as they know, the vulnerability is not being used in the wild for any attacks.


Author: Wolfgang Kandek, CTO, Qualys.





Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //