Microsoft patches 1990s-era 'Ping of Death'
Also plugs critical holes in IE9, Windows' DNS service in 22-fix collection
Computerworld - Microsoft today issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed "Ping of Death."
Of Tuesday's 13 updates, called "bulletins" by Microsoft, two were labeled "critical" -- the most-serious rating in the company's four-step score -- nine were marked "important," the next-most-dangerous category, and two were pegged as "moderate."
Three of the 22 individual vulnerabilities patched today in the baker's dozen of bulletins were rated critical. The remainder were split -- 15 and four, respectively -- between important and moderate.
Researchers today called out MS11-057, which patches seven flaws in Internet Explorer (IE), as the most important to patch pronto.
"This is the anticipated IE update, about what we expected," said Andrew Storms, director of security operations at nCircle Security, referring to Microsoft's habit of updating its browser every two months. "The most important thing here is that it affects IE9."
Today's IE update was the second to patch critical vulnerabilities in IE9 on Vista and Windows 7. Microsoft first fixed a critical IE9 bug in June.
"MS11-057 affects all Windows versions, and all it takes is a malicious [Web] page to take control of a PC," echoed Wolfgang Kandek, chief technology officer for Qualys. "It's a no-brainer to put this at the top of the list."
Other security experts from Symantec and Kaspersky Lab also highlighted the IE update as the one users should deploy first.
"Both of [the critical vulnerabilities] can be exploited by a drive-by download," said Joshua Talbot, security intelligence manager with Symantec's security response team, in an email. "The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent."
Drive-by download attacks are those that can be triggered simply by steering a vulnerable browser to a malicious website. Users are typically duped into visiting such sites by search poisoning efforts or links embedded in spammed email messages.
Most experts, including those on Microsoft's payroll, called out MS11-058 as the second update to apply as soon as possible.
That update patches a pair of vulnerabilities in Microsoft's DNS (domain name system) service, which is used by many organizations to translate Internet addresses into the domains recognizable to humans.
Microsoft ranked one of the MS11-058 bugs as critical on Windows Server 2008 and Server 2008 R2 when running the DNS service, and warned that attackers could remotely exploit such servers simply by sending it a malformed query.
"[That] could potentially allow an attacker who successfully exploited the vulnerability to run arbitrary code on Windows Server 2008 and Windows Server 2008 R2 DNS servers having a particular DNS configuration," said Microsoft in a follow-up post to its Security Research & Defense blog today.
"This is significant, as the majority of organizations running Microsoft-based networks do have DNS activated on their servers," said Marcus Carey, a security researcher with Rapid7, in an email today.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts