Microsoft patches critical IE9, Windows bugs

Fixes 34 flaws, including multiple 'drive-by' vulnerabilities, in host of products

By , Computerworld |  Security, ie9, Microsoft

MS11-052 also affected IE, although Microsoft labeled it as a Windows update.

"The vulnerability is in Windows, but the attack vector is through Internet Explorer," said Bryant. "But IE9 is not affected by this update. [The issue] was addressed before IE9 released..., so that's part of the 'newer is better' message we're getting out to customers," Bryant added.

Only IE6, IE7 and IE8 can be used to exploit the vulnerability patched in MS11-052, not rival browsers, Bryant confirmed.

MS11-043 and MS11-042 were also called out by Bryant today. The former, which patches a single vulnerability in how Windows handles the SMB (server message block) protocol, could be used in what Bryant called a "browse-and-own" attack.

On the bright side, said both Bryant and Storms, many companies have blocked outbound SMB traffic at the firewall, which would prevent exploits of the flaw patched in MS11-043 .

"I think this may be difficult to exploit in the real world," said Storms.

MS11-042 updates DFS (distributed file service), which is used by administrators to group shared folders located on different servers, to patch a pair of bugs -- one critical the other important, in Windows. Microsoft rated the flaw as critical only on Windows XP and Windows Server 2003.

"[MS11-042 and MS11-043] are interesting, but I think they're technically more challenging to attackers," said Kandek.

In fact, Kandek rated MS11-045 , an eight-patch update for Excel, the spreadsheet included with Microsoft Office on Windows and Mac, as the second-most-serious of today's collection, immediately after the IE-oriented combo of MS11-050/MS11-052.

"Microsoft ranks it only as 'important' because the user is required to open an attacker-provided file, but we believe that attackers have shown often enough that they have the skills to make opening the file enticing to users," said Kandek.

"If I was the attacker, this would certainly be one I would use, if only because users tend to trust Excel files," Kandek added.

Of the eight vulnerabilities patched in the Excel update, only one affected the newer versions, Excel 2007 and Excel 2010 on Windows; two impacted Excel 2011 on the Mac.

"It's blatantly clear that the newer Office software is much better and more secure," said Storms.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Ask a Question