Go Back   This Blue Marble, a Global Current Events Discussion Forum > Main Floor > Technology

Technology Humans are tool-users, and technology is where our science becomes reality, giving us the powerful electronic and mechanical tools that mostly make our lives easier, yet more complex, and at times frustrating.

Reply
 
Thread Tools Search this Thread Display Modes
Old 06-10-2009, 12:17 AM   #1
Ought Six
Dismember
 
Ought Six's Avatar
 
Join Date: Oct 2008
Posts: 35,164
Blog Entries: 15
Thanks: 177
Thanked 390 Times in 326 Posts
Arrow Microsoft Fixes 31 Flaws In Record Patch Tuesday Update

Microsoft Fixes 31 Flaws In Record Patch Tuesday Update


By Stefanie Hoffman
ChannelWeb
Tue. Jun. 09, 2009


Microsoft issued a monster security bulletin for its June Patch Tuesday release, fixing a record 31 security flaws in a total of 10 updates.

Altogether, the patches repaired numerous vulnerabilities in Microsoft Windows 2000, Vista, XP, Windows Server 2003 and 2008, Office and multiple versions of Internet Explorer, including IE8, with six of the 10 patches designated for errors deemed critical.

Critical flaws indicate that the flaw enables hackers to launch malicious code in remote attacks.

One error in the patch load, given the less severe ranking of "important," was found to be exploited in the wild. The glitch occurred in Internet Information Service (IIS) and opened the door for attackers to gain unauthorized access to a Web server in order to view or steal personally identifying and financial information. The attacker could infiltrate a system by sending a malicious HTTP request to a Web site that requires authentication.

Security experts said that a worst-case scenario in an IIS exploit would enable a hacker to access user names and passwords for other accounts on the server, which could then be used to launch a malicious attack on the server itself.

Microsoft first disclosed the IIS issue in May, indicating that the company was able to identify the vulnerability and repair it within a matter of weeks. Security experts said that Microsoft's response often depends on the nature of the vulnerability and whether it is being actively exploited in an attack.

"The speed at which (Microsoft) is going to patch something depends on the nature of the vulnerability. With this IIS one, there could be two scenarios -- possibly they had the issue reported to them previously, or it could have been something so trivial they were able to do it quickly," said Steve Manzuik, senior manager of security research for Juniper Networks. "While they're never fully secure, they've raised the bar [for attackers to] find vulnerabilities."

Microsoft's June security bulletin also contained fixes for critical Office glitches in Microsoft Word and Excel, all of which left systems vulnerable to remote code execution if a user opened a malicious Excel or Word file. Meanwhile, security experts said that attacks have trended toward file-format vulnerabilities.

"If I'm a bad guy, I'm better off doing a social engineering attack, and enticing you to open an attachment," Manzuik said.

Included in the security bulletin was a patch repairing critical errors in Active Directory, which could be exploited when running Windows XP Professional and Windows Server 2003, and could allow an attacker to launch malicious code with the intention of taking control of a user's computer to view or steal personal and financial information.

In addition, the patch load included a comprehensive update for its Web browser IE including IE8, which shipped in March, repairing a total of seven vulnerabilities. The flaws enable attackers to execute malware on a victim's machine by luring them to view a malicious Web page using IE, typically through some social engineering scheme. Attackers could then infiltrate the victim's computer and launch code to steal data or completely shut down an affected system.

Manzuik maintained that the IE bug had the potential to cause the most damage due to the number of flaws coupled with the widespread popularity of the browser.

Other bugs repaired by the patch included critical flaws in the Windows Print Spooler and Microsoft Works Converters, both of which could allow remote hackers to gain entry into an affected system. The patch also fixed "important" vulnerabilities in RPC and Windows Kernel, both of which allow an attacker to gain unauthorized access to a user's system.
__________________
* I have the right to live, thus I have the right to defend my life from attackers who would take it from me.
* I have the right to my private property, thus I have the right to defend my property from thieves who would take it from me.
* I have the right to self-determination, thus I have the right to defend my liberty from tyrants who would take it from me.
* The only usable tools for these tasks are guns, and thus I have the right to shoot anyone who would take my guns from me.
Ought Six is offline   Reply With Quote
Reply

Tags
fixes, flaws, microsoft, patch, record, tuesday, update

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 05:40 AM.


Powered by vBulletin®
Copyright © Jelsoft Enterprises Ltd.