Microsoft Patch Tuesday: The Ping of Death returns, IPv6-style
This month's round of Microsoft patches address must-fix vulnerabilities in Internet Explorer and Microsoft Mail
IDG News Service - Internet Explorer proved to be the biggest security concern for Microsoft in the last month, with the browser spurring 11 of the 19 critical vulnerabilities the company issued in August's "Patch Tuesday" set of software fixes.
Such a sizable group of critical patches once again underscores the need for users and organizations to update their copies of Internet Explorer. Their reluctance to upgrade has been a source of ongoing frustration for security professionals, who repeatedly warn of the dangers of unpatched browsers and remind everyone how easy it is to actually update.
With this month's fixes, Microsoft also learned about the precarities of relying on third-party software and witnessed the return of the once menacing Ping of Death, which this time could pester IPv6 networks.
Overall, Microsoft released eight bulletins on Tuesday. Three of these bulletins were marked as critical, with the remainder categorized as important.
Security researchers are advising system administrators to apply the patches for Internet Explorer first, because of how easy it would be for attackers to exploit these previously undisclosed vulnerabilities.
"Every Internet Explorer is affected," said Wolfgang Kandek, chief technology officer of security and compliance software provider Qualys.
With these vulnerabilities still in the browser, an attacker could plant malicious code on a Web site that could read data or make changes on users' computers.
Users' reluctance to update their browsers is baffling for security experts, given that "Internet Explorer is relatively easy to patch." Kandek said. "To go a new version shouldn't really break anything within your organization, (even) if you do that very aggressively and without much testing."
"If you experience breakage, you have a real security problem on your hands," Kandek said. In this case, "the solution would be to isolate the applications that you use with the old browsers onto machines you only use for that [task]. You should not use unpatched browsers to surf the Web," Kandek said.
The second critical bulletin addressed three remote execution vulnerabilities in Windows Exchange Server, which would be of interest to organizations whose employees are using the Web version of the Microsoft Outlook mail client.
These vulnerabilities don't actually reside in Microsoft software but rather with the software that Oracle had developed to render documents, called OutsideIn.
Microsoft uses the software to render files, such as PDF files, so they appear in the browser Outlook Web Access client. Viewing an attachment with an embedded malicious code could compromise the server. Oracle patched the software in April and then again in July, and now Microsoft is passing along the updated version to its users.
"The server side process, which generates the Web page, could get compromised and let an attacker control an Exchange server," said Amol Sarwate, the director of Qualys Vulnerability Labs.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts