Microsoft patches 12 bugs, including IE8-only flaws
Expect new drive-by attacks against IE in the next month, says Microsoft
Computerworld - Microsoft today patched 12 vulnerabilities in Windows, Office and Internet Explorer (IE), including three critical bugs in the company's newest browser, IE8.
Of the 12 flaws fixed in Tuesday's six security updates, seven were rated "critical," the highest severity ranking in Microsoft's four-step scoring system. Four of the remaining flaws were pegged as "important," one step lower on the scale, while the final vulnerability was labeled "moderate."
Security researchers unanimously voted MS09-072, the five-patch update for IE, as the one that demands immediate attention.
"That's certainly the one to watch," said Andrew Storms, the director of security operations at nCircle Network Security. "You can't focus enough attention on the IE update. It trumps the bunch."
Richie Lai, the director of vulnerability research at security company Qualys, echoed Storms. "MS09-072 affects IE, which is a big attack surface," said Lai, "and the vulnerabilities are primed to be exploited by classic drive-by attacks."
"Definitely take a look at that one," chimed in Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "Browser attacks are the most prevalent of all attacks."
One of the five fixes included in the IE update addressed the zero-day vulnerability that Microsoft confirmed last month after sample attack code that exploited a flaw in IE's layout parser went public.
Storms applauded Microsoft's speed in quashing the bug. "That was record time for Microsoft, to patch in just two weeks," he said, adding that it usually takes the company a month or more to ready a fix. "The holiday online shopping season had to increase the pressure to patch, but then again, it looks like Microsoft already knew about the bug," said Storms, referring to the credit that Microsoft gave to VeriSign iDefense for reporting the flaw.
But the big news today, said Storms, Lai and Miller, was the fact that of the five IE vulnerabilities in MS09-072, three affect the newest edition of the browser, IE8. Two of those three affect IE8 only; Microsoft's other browsers were immune.
"You can bet that engineers at Microsoft are as depressed about these bugs as much as we are," Storms said of the IE8 vulnerabilities.
"The question is why they're there," Storms continued. "It would be easier to explain if both IE8 and IE7 were vulnerable, as is the case with one of the vulnerabilities. But the fact that two are IE8-only makes us wonder if Microsoft's Security Development Lifecycle is working." Security Development Lifecycle, or SDL, is the term Microsoft's given to a development process that stresses security testing as a piece of software is being written.
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!