Microsoft quashes critical bugs in IE10, Windows 8, Word
Drive-by attacks possible against IE9, IE10, as well as Word 2007 and Word 2010
Computerworld - Microsoft today patched a dozen vulnerabilities in Internet Explorer (IE), Windows, Word and Exchange, fixing flaws in the new IE10 for the first time and crushing bugs in Windows 8 and Windows RT for the second month running.
Five of Tuesday's seven security updates were marked "critical," Microsoft's most-severe ranking, while the remaining two were labeled "important." Of the 12 vulnerabilities, nine were critical.
Most security experts focused on two of the seven bulletins, Microsoft's term for a product security update: MS12-077, which patches three bugs in IE9 and IE10; and MS12-079, a one-bug update for Word 2003, 2007 and 2010.
MS12-077 was at the top of the list for both Andrew Storms, director of security operations at nCircle Security, and Jason Miller, VMware's manager of research and development. Both cited the importance of browser bugs because of the massive amount of time users spend in those applications as well as the frequent exploitation of browsers by attackers.
"For Microsoft, this is a pretty typical [patch] day," said Storms. "So IE should be first."
"Whenever there's an IE update, unless it has maybe just one vulnerability, it is pretty much at the top of any list," echoed Miller.
This was the second consecutive month that Microsoft patched IE. Last July, Microsoft announced it was ditching the years-long practice of updating IE on alternate months, saying it now had sufficient resources to tackle browser bugs in any month. The company patched IE in June, July and August to demonstrate its new capabilities before pausing.
Today's IE update patches three bugs in IE9 and one in IE10. It also addressed the underlying issues in older editions -- IE6, IE7 and IE8 -- but did not classify them as actual vulnerabilities, probably because while they contained flawed code, exploits written for the newer versions would not execute on their ancestors.
Microsoft calls such fixes "defense-in-depth" updates.
MS12-077 was the first Microsoft bulletin to address a bug in IE10, which debuted Oct. 26 alongside Windows 8 and Windows RT, the tablet-leaning spin-off. In its advisory, Microsoft also said it was patching the preview of IE10 on Windows 7. The sneak peek debuted four weeks ago.
IE10 also received an update today for Adobe's Flash Player, the popular media software that's baked into Microsoft's newest browser. Last month, Adobe said it would adopt the "Patch Tuesday" schedule of its Redmond, Wash. partner for future Flash security updates. Today's update, the 10th for Flash this year, contains fixes for three critical flaws.
Also bright on security professionals' radar was the Word update, MS12-079, which corrects another flaw in the word processor's parsing of RTF (rich text format) files.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts