Microsoft fixes critical Windows, Office, IE security flaws
Summary: Microsoft today released five critical patches that fix more than a dozen security vulnerabilities in all versions of Internet Explorer 6 and above, Windows, and Office.
Microsoft has released its latest round security fixes in a massive Patch Tuesday update, with fixes for 57 known security vulnerabilities in total.
In 12 bulletins, five of the flaws are rated "critical," in which hackers and malware writers could remotely execute code on vulnerable machines, opening the doors up to malware attacks.
Two of the bulletins focus on all versions of Internet Explorer 6 and above—including IE7, IE8, IE9, and even IE10, which is only available for Windows 8 and Windows RT-powered devices, such as the Surface tablet.
For Windows 8 and Windows RT users, ZDNet's Mary Jo Foley explains that amid the security patches, a number of issues relating to Wi-Fi and "Connected Standby" have also been fixed.
In one bulletin, MS13-009, 13 flaws in total are patched, with one critical vulnerabilities fixed, which could have allowed hackers to gain access to a machine after visitors access a page laden with malware. Often the user doesn't even know that malware has been installed, but it could allow the hacker to access files and documents, and hijack the machine.
The second bulletin relating to Internet Explorer, MS13-010, fixes a vulnerability in an ActiveX library. Also rated critical, the flaw is being actively exploited in the wild, Microsoft said last week. The vulnerability lies in the Vector Markup Language (VML) library, which can be exploited if an unsuspecting user visits a malware-laden Web page.
Once versions of Internet Explorer are patched, they should become safe to use again—for now.
Another critical vulnerabilities found in Exchange Server, which could allow remote code execution through its WebReady document viewing service; another in Microsoft Office that could be exploited by a specially crafted media file; and one more fixes a critical bug in Windows Object Linking and Embedding (OLE), which could allow a hacker to access a machine with the same user permission rights.
The rest of the vulnerabilities are rated "important," but could also allow denial-of-service attacks and the elevation of user privileges.
Patch Tuesday fixes are available through the usual update channels, such as Windows Update, Microsoft Update, and Windows Server Update Services (WSUS).
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
As Rosaanna Dannaa would say If it not one thing its another
swiss cheese?
http://tinyurl.com/aps7ddr
The same report can be changed too
Hmmm....
Also, you neglected to look at the chart at the bottom. Guess what vendor holds 1st place by almost 70% more than 2nd place?
Numbers
http://tinyurl.com/af5fnvo
http://tinyurl.com/alg4pzt
Second have all vulnerability from first one but also have few more. So we don't speak about different products but about "human error".
"""
Also, you neglected to look at the chart at the bottom. Guess what vendor holds 1st place by almost 70% more than 2nd place?"""
And this is pretty funny, Apple have second place and this is not software company, also is nice to click company name ant look on the chart bellow. Apple time line is impressive. In 2012 they have in total 303 vuln. Microsoft who is software company and have much much more own software than Apple in 2012 in total have 173 vuln. WOW.
Yes, numbers and read ability combined with thinking gives awesome results.
If patching means it's insecure
Is this supposed to be positive, negative or purely informative?
Not sure there is any point to these articles.
Informative
It IS informative...
Internet Explorer security on Windows client vs. server operating systems
Questions:
o Why has Microsoft made it so hard for their client OS users (NOT enterprise sysadmins) to whitelist frequently-visited sites in the IE "Trusted" Zone?
o Why has Microsoft not implemented a user-friendly version of Enhanced Security Configuration (that is available in Server 2003) for their client OSs so that users can simply visit a web site, go to the menu and select a menu item to add the site to the IE "Trusted" Zone?
It would appear that you are wrong
But the phrase "These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user" is the key. The Internet Explorer, Office 2010 and Chrome low integrity modes (protected modes) *changes* the "current user".
It is called defense in depth. Even if an attacker exploits these vulnerabilities and can run his shell code inside the exploited application, the *current user* is a severely restricted user with no write permissions *anywhere* (except for a secluded internet cache area).
The "current user" cannot infect the system.
No, these vulnerabilities are not a sandbox bypass. The are straight up memory corruptions which *could* allow an attacker to run his own code. But that code would still run inside the protected mode.
Nope
Second, lets look at what Microsoft says in ms13-009:
o Windows XP SP3 Internet Explorer 6/7/8 Remote Code Execution Critical
o Windows Vista SP2 Internet Explorer 7/8/9 Remote Code Execution Critical
o Windows 7 SP1 Internet Explorer 8/9 Remote Code Execution Critical
o Windows 8 Internet Explorer 10 Remote Code Execution Critical
o Windows RT Internet Explorer 10 Remote Code Execution Critical
Note that Windows Integrity Levels are not supported on Windows XP. Also note that Microsoft's Maximum Security Impact and Aggregate Severity Rating (provided in the bullets above) are the same for all currently-supported client OSs, including Windows XP. Sorry, but I'm going with Microsoft on this one.
Client OS and security in the Enterprise
Microsoft fixes critical Windows, Office, IE security flaws
???
Depends
Actually, no. Or rather: Rarely.
Security researchers divide the risk a vulnerability is exploited into low-risk and high-risk periods. The high-risk period is when the vulnerability is known but a patch is not yeat available or organizations/users have not yet applied it.
Patches always have the potential to destabilize systems and applications. In general, users want both stable and secure systems. These two have to be balanced. Mindlessly rushing fixes and patching everything ASAP will invariably lead to some patches disrupting systems. Especially corporations will want to *test* the potential impact before rolling out a patch.
If you send out patches each day (like Ubuntu) you put your customers on the spot: Either they have to set aside time *each day* to test and verify or they will have to delay and bundle patches. But as the patches are now out and vulnerability information in the open, these become *high-risk* days.
A balancing compromise is to bundle patches with vulnerability information exposure from the vendor. Once a month system admins will set aside time to verify that critical applications/system will stil work following a patch. And they have only low-risk periods leading up to that point.
Sure, if you are a home user who can live with the office apps or internet connection or a specific website becoming incompatible, you'd want patches as soon as possible. But as long as the vulnerability information is not in the open you are not in a high-risk period. I can certainly live with that.
Still does not address a critical question:
You know, I never wanted any of that. I never cared one tiny bit if my buttons could flash and ance and play music. I play multimedia on a player and don't care about getting it embedded on a page. My player can play streaming video.
Ah, well, it never ends. Been this way since before the internet.
Another reason vulnerabilities exist: The Pope Doesn't Design Software
Infallible?
I'm not Catholic myself, but I have studied religion informally all my life, and I was always curious enough to learn such details, since they affect history. My own faith is Christian but not dogmatic about doctrine.
BTW, an intriguing idea, a Pope who can write computer programs. Many priests, especially Jesuits, have been scientists (e.g. Teilhard de Chardin), and this may include some IT people, but they would only have time to do science as a hobby if they want to get up to the Monsignor or Cardinal rank, and by custom (not by theory) the Pope is elected from among the cardinals (theoretically, ANY Catholic man could be chosen as the pope, and he could be ordained a bishop after selection if necessary, but that is as likely as any 35+ American with no prior political career suddenly becoming President).
Two Phases?
This morning, ANOTHER 5 updates (plus the failed "optional" update from Tuesday) were offered! Leaving behind the optional update, the others all installed successfully, and restart was successful. The system has been stable all day, but of course it is too late to test the live webcast, and there will undoubtedly be more updates before next year.
This leaves me wondering: is it possible that some Microsoft engineers applied the update to their own (or office) computers, then tried to watch the SOTU and got the same error? And being the creators of the patch, then went back into (or stayed late at) the office, found the bugs, and issued a new patch overnight?
Or could it be that, as a quick look at update history just now showed, some of the patches were recorded as "failed" in the history log Tuesday, and their retries succeeded today, even though the after-restart display showed ONLY the optional update as failing? It seems strange that Windows Update would only show 5 when it was really applying 10, and then not tell me that the other 5 failed, and wait overnight before saying there are another 5 to be applied! The application of only part of the update package would explain why Windows failed on a live webcast.
Did anyone else have a problem watching the SOTU webcast on whitehouse.gov, and had Tuesday's patch been applied first? Did anyone else get a followup patch today? Did anyone have the two-phase patch, whether they tried to access the webcast or not? It's not important but I am curious!