All four of the critical bugs could allow attackers to remotely execute programs on a targeted system, something that in the past has allowed hackers to steal personal information such as passwords or take over machines for the purpose of sending spam.
The patches were released as part of the company’s monthly “patch Tuesday” security update for its major software products. The company had originally planned to deliver 16 updates Tuesday, but two are marked as yet to appear. They include one that was expected to carry a critical rating.
At 14, the number of patches is a monthly record for 2013 and 2014.
They include a problem with Windows Object Linking and Embedding that could allow remote code execution if the user visits a website containing malicious code. If the user is logged in as the administrator, the attacker could gain the ability to install programs and change and delete data. A related patch for Internet Explorer fixes the vulnerability with malicious websites and 16 other problems with the software, said Microsoft.
A security update for the Microsoft Secure Channel software in Windows fixes a problem that leaves Windows Server vulnerable to attack from specially crafted packets. The fourth critical patch fixes a hole in Windows that allows attackers to invoke Microsoft XML Core Services from a malicious website and then remotely execute code on a target system.
A further seven patches are marked as important—the second highest rank.
One vulnerability in Microsoft Office allows for remote execution of code, four additional problems allow attackers to assign themselves higher privileges and two allow bypass of certain security features in Windows.
Thinking about giving the Windows 10 preview build a shot? You aren’t the only one — according to Microsoft, its Windows Insider Program hit one million registrants over the weekend, giving a lot of potential users access to the latest build of its next-gen operating system. Joining the Windows Insider Program doesn’t necessarily translate to an installed preview, but it is the only way to get access to Windows 10 currently. While it’s not clear how many of those millions have installed the OS, Microsoft says it has received over 200,000 pieces of feedback through Windows’ native feedback application.
Microsoft has reason to believe that most of that feedback is from extensive use, not just folks dipping their toe in the OS: its stats indicate that less than half of all installs are running on virtual machines, meaning most of its users installed Windows 10 natively. It also learned that most users are using more than seven apps a day. The team says that it’s currently trying to categorize and process all of the feature requests and feedback its receiving, and promises to continue to revise and improve the OS before launch.
After a relatively quiet few months, Microsoft Patch Tuesday is back in full force, covering three zero-day vulnerabilities that administrators should attend to as quickly as possible.
Microsoft issued eight security bulletins Tuesday, covering a total of 24 vulnerabilities found in Windows, Internet Explorer, Office and the .Net framework. Three of the bulletins are marked as critical, which means administrators should test and apply these patches immediately. A single bulletin can cover multiple vulnerabilities within one technology.
Three of these vulnerabilities are already being exploited by malicious attackers, hence they are being called zero-day vulnerabilities. This is the first time in recent history—and perhaps ever—that Microsoft has fixed three zero-day vulnerabilities in a single round of patches, which Microsoft typically issues on the second Tuesday of each month.
“Sandworm” is the most notorious of the three and is a vulnerability in Microsoft Windows that has already been used in attacks on NATO and a number of European government agencies, telecommunication firms and energy companies, according to cyberthreat intelligence firm iSight. Microsoft Bulletin MS14-060 fixes this bug.
“This is an urgent one to fix,” said Wolfgang Kandek, chief technology officer for IT security firm Qualys.
Microsoft marked MS14-060 as important rather than critical because for the attack to work, it would require a user to click on a file. Qualys ranks this vulnerability as more severe in that it is pretty easy to trick a single person into clicking on a file, such as a PowerPoint presentation, which would be all that would be required for an attacker to gain access to an internal network with a well-crafted script, Kandek said.
Sandworm is a good reminder for administrators to make sure that they set the user permissions correctly on desktop and laptop computers, meaning not to give an end user full administrative privileges on the machine, Kandek said.
Internet Explorer gets patched, too
The second zero-day flaw addresses a problem in Internet Explorer and the fix is found in MS14-056. This vulnerability “could allow an attacker to break out of the sandboxing capabilities in Internet Explorer,” said Amol Sarwate, director of vulnerability research at Qualys.
The third zero-day, addressed in MS14-058, also comes from a flaw within Windows, namely from the way the operating system kernel drivers handle TrueType fonts. An attacker could embed some malicious code within a TrueType font. When a user visits a site with these ill fonts, Windows will download the font package and automatically execute the code buried within.
Beyond Microsoft’s patches, administrators will also have a busy week with patches from Adobe and Oracle, Kandek said.
On Tuesday, Adobe released a set of patches for its Flash multimedia player. Oracle is also releasing a wide range of patches for its enterprise software. In particular, administrators should take a look at the Java patches, Kandek advised.
Even two-factor authentication can be twarted. This article has some interesting insight on the way the attacks are engineered…