Microsoft ends year by patching 11 bugs
Latest batch fixes 7 critical flaws in Windows and IE, stymies two zero-days
Computerworld - Microsoft Corp. today released seven security bulletins that patch 11 vulnerabilities in Windows, Internet Explorer, Windows Media Player and other parts of the operating system. Two of the bugs are currently being exploited by attackers, Microsoft confirmed.
Of the seven updates, three are rated critical -- the highest ranking Microsoft uses -- while the other four are labeled important, the second-highest category in the company's four-step scoring system.
The three critical bulletins, which fix seven different flaws in DirectX, the Windows Media Format runtime used in Windows Media Player and Internet Explorer, should be patched pronto, a pair of security experts said today. "These are the worst kind of client-side vulnerabilities that one could wish for," said Andrew Storms, director of security operations at nCircle Inc. "All three of them deal with rich multimedia content.
"Obviously, attackers have moved away from sending malware and toward drive-by attacks," Storms added.
Amol Sarwate, the manager of Qualys Inc.'s vulnerability lab, echoed Storms in both his choice of patches to administer first and his reasoning. "The three bulletins marked critical [include vulnerabilities that] are of the type we've seen attackers use to target common desktop users, rather than trying to attack servers."
Sarwate got a bit more specific, however, in pinpointing the single-most dangerous bug patched today: MS07-069, the bulletin that addresses four vulnerabilities in IE6 and IE7, should be deployed first, he advised, because one of those flaws is already being exploited in the wild. "The DHTML zero-day is extremely important to patch," said Sarwate.
The three critical updates -- MS07-064, MS07-068 and MS07-069 -- plug holes in DirectX, Windows Media Format runtime and IE6 and IE7, respectively. Six of the seven vulnerabilities covered by those updates were pegged as critical for Windows Vista, which Microsoft has touted as it most secure ever.
MS07-064 quashes a pair of bugs in the DirectX handles several streaming video file formats; hackers could exploit the vulnerabilities by duping users into viewing rigged streaming media, said Microsoft.
"This is significant, because many applications -- and Windows itself -- use DirectX to deliver rich content," said Storms, noting that ".wav files, .avi files, and SAMI [Synchronized Accessible Media Interchange] files are all very popular and are used by tons and tons of Web sites." Users are accustomed to opening such formats, he added, making it even likelier that an attack file would pass muster.
MS07-068, Storms said, is "an almost exact duplicate," since it also involves a file format parsing bug, he said. Windows Media Format runtime, part of Windows Media Player and a component used by other parts of Windows to display content, doesn't properly deal with Advanced Systems Format (.asf) files, Microsoft's proprietary streaming media file format.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts