Microsoft fixes 14 flaws in biggest patch day since February
'Repeat offenders' -- once-patched pieces patched again -- abound, says researcher
Computerworld - In its biggest one-day security update since February, Microsoft Corp. today issued nine bulletins that patched 14 vulnerabilities in Office, Internet Explorer and every edition of Windows. Eight of the fixes were pegged as critical, the company's highest risk rating.
Faced with an overload of vulnerabilities -- including some in components that Microsoft has patched in the past -- researchers squabbled over which should get priority.
"I think six of these are equally important," said Andrew Storms, director of security operations at nCircle Network Security Inc.
"The GDI vulnerability is the most critical," said Amol Sarwate, the manager of Qualys Inc.'s vulnerability research lab.
"MS07-042 affects everything," said Don Leatham, the director of solutions and strategies at PatchLink Corp.
The only update that all three agreed should be moved to the top of the list was the one that patched a bug in Windows Graphics Rendering Engine (GDI). According to Microsoft's MS07-046 advisory, the GDI bug affects Windows 2000, XP and 2003 Server and a successful attack could give the hacker complete control of the PC.
"This affects a core Windows subsystem, and all versions except for Windows Vista," said Sarwate. "Unlike most other vulnerabilities, this one doesn't need an application, like Internet Explorer; all that's needed is a [malformed] image file. The only good news here is that this does not affect Vista."
PatchLink's Leatham cited the GDI bug as one of two he said should be patched immediately, and he rang the alarm even louder than Sarwate. "This has the potential to be as dangerous as the WMF vulnerability [from late 2005]," he said. "Microsoft makes it sound as if the typical exploit would come as some sort of e-mail attachment, but the GDI is used by about every single Microsoft application out there.
"Hackers will look at this like Nirvana, something this low level that they can use to target about every workstation in an enterprise," warned Leatham.
The WMF (Windows Metafile) vulnerability, a zero-day bug that hackers began widely exploiting at the end of 2005, was patched in early 2006 by one of the rare out-of-cycle fixes that Microsoft has issued. Even today, the WMF exploit impact on Windows users remains among the largest ever.
Eight other bulletins, however, will vie for administrators' attention. Some, said Storms, Sarwate and Leatham, should get that attention before the others. Here are some of the fixes each one of them singled out:
- Storms: "The idea of virtualization is a really big thing in IT today, and everyone who does it in the enterprise has the same concern: Can the guest OS [in a virtual machine] affect the host OS?" For that reason, he put the spotlight on MS07-049, even though the update was rated "important," not "critical." The No. 1 concern of those running virtualization software in a corporate enterprise, he said, is "How much can we trust the guest OS?" The bug patched today could let users with administrative privileges on the guest operating system run code on the host operating system, or even on another virtual machine's guest operating system, according to Microsoft.
- Sarwate: "MS07-045 affects all versions of Internet Explorer. This vulnerability is in the [Cascading] Style Sheets [CSS], which are the building blocks of any site." According to Microsoft's advisory, IE's parsing of certain strings in CSS is flawed; attackers could exploit it by enticing users to a malicious Web page, resulting in a full PC hijack.
- Leatham: "MS07-042 affects everything." The vulnerability, which exists in multiple versions of XML Core Services -- the component that provides interoperability between several scripting languages, including JScript, Visual Studio and XML applications -- affects every supported version of Windows, including Vista. Microsoft rated the bug as critical across the board. "There's so much going on with XML in enterprises," said Leatham. "That's why this is so dangerous."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts