Microsoft patches 9 bugs, leaves one open for hackers
Two zero-days and critical font bug quashed; no fix for Monday's ActiveX vulnerability
Computerworld - Microsoft today delivered six security updates that patch nine vulnerabilities, fixing two bugs already being used by hackers but leaving one still open to exploit.
Of the six bulletins, three patched some part of Windows, while the remainder plugged holes in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's virtualization software. Six of the nine bugs were ranked critical, Microsoft's highest ranking in its four-step score, while three were tagged as "important," the next-lowest label.
"We got what we expected," said Andrew Storms, director of security operations at nCircle Network Security. "We got the 'kill bit' we were looking for in the ActiveX control and the DirectShow fix," he said, referring to two recent vulnerabilities that attackers have been exploiting for weeks.
In May, Microsoft acknowledged that hackers had begun exploiting a bug in DirectShow, one of the components in Windows' DirectX graphics platform. Last week, it owned up to another bug, this one in a video streaming ActiveX control used by Internet Explorer (IE) -- and admitted it had known about, but not fixed, the flaw for the past 18 months.
Microsoft patched the already-public DirectShow flaw with MS09-028, and for good measure tucked in fixes for two more vulnerabilities also reported by researchers.
The "kill-bit" update in MS09-032 didn't actually patch the underlying ActiveX problem. Instead, Microsoft simply disabled the control, effectively shutting off any possible attack by modifying the Windows registry using the update. Microsoft offered the same protective measure via an automated tool last week, but that required users to manually browse to a support document, then download, install and run the tool.
Researchers unanimously voted those two updates as the ones to deploy immediately. "Microsoft did well to get out the two zero-days," said Eric Schultze, chief technical officer at Shavlik Technologies, "especially the ActiveX. It was a little much to ask them to get out the Office ActiveX fix, though."
Schultze was talking about a bug in an ActiveX control used by Office Web Components to display Excel spreadsheets in IE. Microsoft warned users of the vulnerability only yesterday. By today, Web attacks had rapidly increased. On Monday, however, Microsoft said that it wouldn't wrap up a fix in time for today's release.
Like the DirectShow ActiveX flaw that was patched today, Microsoft has released a "Fix It" tool that users can download and run themselves to kill the control. But, according to Schultze, Microsoft's not planning to push a kill-bit update to users for this second flaw. "Setting the kill bits actually impedes functionality," Schultze said. "Microsoft told me today that they're working on a file-level fix."
- Some are twisting the facts in requests to be forgotten, Google says
- Thumb drives can be reprogrammed to infect computers
- CISOs still struggle for respect from peers
- IBM buys access control and identity management firm CrossIdeas
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- In a hyper-social world, some seek a little privacy
- Popular Internet-of-Things devices aren't secure
- Many antivirus products are riddled with security flaws
- Mobile management: Making sense of your options
- British hacker Gary McKinnon launches SEO startup
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!