Microsoft patches critical bugs in Windows, Office
Outlook vulnerability could be big, say researchers, but Google engineer's bug should be patched first
Computerworld - Microsoft today patched five vulnerabilities in Windows and Office, including a bug hackers have been exploiting for almost a month.
As expected, today's patch slate was short: Just four security updates that included fixes for five separate flaws. Of the four updates, three were rated "critical," the highest threat ranking in Microsoft's four-step scoring system. All five of the specific vulnerabilities patched today were also rated critical.
Two of the bulletins affected Windows, while the remaining pair impacted Office. Four of the five vulnerabilities in the bulletin quartet were pegged by Microsoft with an exploitability index score of "1," meaning that the company expects attacks to materialize in the next 30 days.
The most prominent of the pair was MS10-042, the update that addressed the vulnerability in Windows XP's Help and Support Center, a feature that lets users access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC.
In early June, Tavis Ormandy, a security engineer who works for Google, published attack code for the bug -- which also affected Windows Server 2003 -- and immediately unleashed a heated debate. While some security researchers criticized Ormandy for taking the bug public, others rose to his defense, blasting both Microsoft and the press -- including Computerworld -- for linking Ormandy to his employer.
Ormandy disclosed the vulnerability five days after reporting it to Microsoft after he said the company wouldn't commit to a patching deadline. Microsoft has disputed that, claiming that it only told Ormandy it would need the rest of the week to decide.
Users and IT administrators should apply the MS10-042 patch as soon as possible, agreed several researchers. "This is actively being exploited to target XP desktop systems," said Jason Miller, the data and security team manager for Shavlik Technologies. Miller also noted that Windows XP remains the most-popular version of Windows on both consumer and business PCs, a fact that Microsoft itself stressed yesterday when a company executive said that XP was on 74% of all corporate machines.
"I'm impressed that Microsoft was able to do a turn-around on this as quickly as they did," said Miller. "Some bugs linger for months out there."
Microsoft was first told of the Help and Support Center flaw on June 5, and confirmed that by June 15, attacks were exploiting the bug.
The other Windows update, MS10-043, patches a single bug in the 64-bit version of Windows 7 and Windows Server 2008 R2. Microsoft confirmed the vulnerability in May with a security advisory, noting then that the flaw was in Windows' Canonical Display Driver, which blends the operating system's primary graphics interface, dubbed Graphics Device Interface (GDI), and DirectX to compose the desktop.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts