Microsoft patches 23 Windows flaws, warns of risk of code execution attacks
Summary: The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.
Microsoft wheeled out another batch of security patches today to fix multiple dangerous security flaws that expose billions of Windows users to remote code execution attacks.
The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.
The company is urging Windows users to pay special attention to MS12-034, a "critical" bulletin that patches 10 distinct security holes. Three of these vulnerabilities have already been publicly disclosed and Microsoft expects to see working exploit code released within 30 days.
The vulnerable code in the MS12-034 bulletin is linked to the Duqu malware that was used to spy on high-profile targets in Iran.
Some details:
- MS12-034 (Microsoft Office, Windows, .NET Framework, and Silverlight): This security update resolves three publicly disclosed vulnerabilities and seven privately reported vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
Microsoft is also highlighting MS12-029 as another high-priority update that should be deployed immediately. This bulletin, also rated critical, addresses a security flaw in Microsoft Word that could be exploited by hackers to take complete control of a vulnerable machine. Attack vectors for this issue include maliciously crafted websites and email, the company said.
Here's a glimpse at the rest of this month's updates:
- MS12-035: This security update resolves two privately reported vulnerabilities in the .NET Framework. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- MS12-030: This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- MS12-031: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- MS12-032: This security update resolves one privately reported and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
- MS12-033: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I'm going to be busy patching this week
Sorry, let me rephrase that for the Apple fanbois: Why can't MS make an OS that just works?
PS I had to reboot my iPad after the patch. Haven't patched my iPhone yet but I'm guessing I'll have to reboot that too. Why can't Apple release patches that don't require reboots? Sorry, let me rephrase that for the Apple fanbois: Why can't Microsoft release patches that don't require reboots?
PPS My laptop reboots faster than either of my iDevices. Windows 7 is great.
Updates
Linux, Unix and Mac are Unix based, they also have updates, but not so much
The data shows you're wrong.
[i]Linux, Unix and Mac are Unix based, they also have updates, but not so much[/i]
Windows had the lowest vulnerability count. At least that was the case about a year ago. I haven't compared them lately.
Linux downtime
We've plenty of internet facing servers (dns, smtp, pop/imap, http, vpn) and intranet servers (samba, dns, internet gateways, rsync) with up-times measured in years. All services patched.
The MCSE wonders why Unix admins get frustrated with the windows patch/reboot cycle (and that stupid registry!)
Windows had the lowest vulnerability count
@ye
How do you count that count? Do you apply any severity weight to it? Do you include all distro packages or just a kernel? Debian/Ubuntu has about 30000 packages (my (X)ubuntu 12.04 gives 37461 packages )
On the other hand remote code execution is quite rare. Patches are available for ALL packages including "third-parties" (in MS' lingo) and not just on the monthly basis.
Windows had the lowest vulnerability count
Windows XP was released august 2001. Until today (it still receives security updates) it has experienced 534 vulnerabilities.
http://secunia.com/advisories/product/22/
The Linux [i]kernel[/i] 2.6 was released in december 2003, i.e. it has had a lifespan which is more than 2 years shorter than Windows XP. Still, Linux [i]kernel[/i] has experienced 624 vulnerabilities.
http://secunia.com/advisories/product/2719/
Now, this is just the Linux [i]kernel[/i]. The Linux kernel is not functionally equivalent to Windows XP. For example, the Linux kernel does not include a Window manager, desktop, media player, video editing or a *browser*. You cannot reach the same functionality as XP using Linux without adding products which will rake up the vulnerabilities.
Going over the list of XP vulnerabilities we find that vulnerabilities in the following software has been included in the Windows XP count (i.e. *not* vulnerabilities in the Windows kernel):
HTML help, Support Center, zip utility, Microsofts Java VM (yes, they distributed a Java VM back in the day), RDP/Terminal services, script engine, Shell, Media Player, HTML converter, NetMeeting, DirectX, Microsoft Data Access Components, ListBox and other GUI controls, Internet Explorer, IIS, SMTP service, Firewall, Indexing Service, Telnet client, Microsoft Agent, Step-by-Step Interactive Training Vulnerability. Even Flash Player was included with the first version of Windows XP and vulnerabilities of Flash counted towards Windows XP vulnerabilities until taken out.
But already *before* adding vulnerabilities equivalent software, Linux has experienced more vulnerabilities than good old Windows XP. During a period which is more than 2 years shorter.
Linux updates
Likewise, Windows XP generally does not include driver updates for most third party hardware, whereas the Linux kernel does. That's the reason why the Linux kernel source is so huge despite the fact that it is only a small component of a running computer. And a single computer only uses a small fraction what goes into the Linux kernel source, so the odds that a single kernel patch affects your computer is pretty slim.
But pissing match aside, I would say that in the last 5 years both operating systems have done as well as can be expected on the security front.
@honeymonster , 2.6.27,3[245] and 3.*
honeymonster
But while you are at Secunia maybe you should take a look at how many unpatched vulnerabilities windows 7 has, and the severity rating they have, and how long they have been unpatched for.
Updates
Yes they do. But they still aren't the swiss cheese Windows is.
Windows had the lowest vulnerability count
Since @ye told us. ;)
Look at all the ABMers trying to defend Linux vulnerability counts.
ye says it's so
Besides, what do you care? You don't even use Linux anyway.
[i]Using every excuse in the book to dismiss the higher counts in Linux. You can't write better comedy.[/i]
A vulnerability is not the same as an exploit. I'm not really worried about it.
Unlike our favorite Microsoft fanboy here spreading Fear, Uncertainty & Doubt.
Since @ye told us
ye is a hypocrite
Try making bug free code sometime . . .
Try making a few lines of bug free code yourself sometime . . .
. . . and multiply the number of bugs you end up with by about a million.
Oh, trust me, I know
Dear toddy, you don't fool us for a moment