Microsoft patches 12 bugs, including IE8-only flaws
Expect new drive-by attacks against IE in the next month, says Microsoft
Computerworld - Microsoft today patched 12 vulnerabilities in Windows, Office and Internet Explorer (IE), including three critical bugs in the company's newest browser, IE8.
Of the 12 flaws fixed in Tuesday's six security updates, seven were rated "critical," the highest severity ranking in Microsoft's four-step scoring system. Four of the remaining flaws were pegged as "important," one step lower on the scale, while the final vulnerability was labeled "moderate."
Security researchers unanimously voted MS09-072, the five-patch update for IE, as the one that demands immediate attention.
"That's certainly the one to watch," said Andrew Storms, the director of security operations at nCircle Network Security. "You can't focus enough attention on the IE update. It trumps the bunch."
Richie Lai, the director of vulnerability research at security company Qualys, echoed Storms. "MS09-072 affects IE, which is a big attack surface," said Lai, "and the vulnerabilities are primed to be exploited by classic drive-by attacks."
"Definitely take a look at that one," chimed in Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "Browser attacks are the most prevalent of all attacks."
One of the five fixes included in the IE update addressed the zero-day vulnerability that Microsoft confirmed last month after sample attack code that exploited a flaw in IE's layout parser went public.
Storms applauded Microsoft's speed in quashing the bug. "That was record time for Microsoft, to patch in just two weeks," he said, adding that it usually takes the company a month or more to ready a fix. "The holiday online shopping season had to increase the pressure to patch, but then again, it looks like Microsoft already knew about the bug," said Storms, referring to the credit that Microsoft gave to VeriSign iDefense for reporting the flaw.
But the big news today, said Storms, Lai and Miller, was the fact that of the five IE vulnerabilities in MS09-072, three affect the newest edition of the browser, IE8. Two of those three affect IE8 only; Microsoft's other browsers were immune.
"You can bet that engineers at Microsoft are as depressed about these bugs as much as we are," Storms said of the IE8 vulnerabilities.
"The question is why they're there," Storms continued. "It would be easier to explain if both IE8 and IE7 were vulnerable, as is the case with one of the vulnerabilities. But the fact that two are IE8-only makes us wonder if Microsoft's Security Development Lifecycle is working." Security Development Lifecycle, or SDL, is the term Microsoft's given to a development process that stresses security testing as a piece of software is being written.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts