Feeds

Bumper MS patch batch spells client-side misery

IE still vulnerable after bombardment

High performance access to file storage

Microsoft issued eight updates on Tuesday - two more than expected - as part of its Patch Tuesday update cycle.

Redmond classifies six of the octet as critical, while independent security watchers reckon they all make the highest security grade. Worst of the bunch is an update for ActiveX controls that affects Visual Basic 6.0's runtime (MS08-070.

The buffer overflow risk affects Visual Studio, Foxpro, Frontpage and MS Project, along with third party apps that make use of the affected component. Worse still exploit code has been doing the rounds since April.

There's also a cumulative fix for Internet Explorer (MS08-073). But this fails to address an unpatched vulnerability that's already being used to mount drive-by download attacks, albeit on a limited basis. Other critical fixes cover flaws in Microsoft Office, Outlook, Windows Media Player and Windows Explorer.

Two bulletins - rated as important by Microsoft but critical by the SANS Institute's Internet Storm Centre (ISC) - tackle problems involving SharePoint Server and a separate bug involving Windows Media Player.

The updates collectively address 28 vulnerabilities. Microsoft summary can be found here, while the far more readable ISC "Black Tuesday" overview can be found here.

"The Microsoft elves have been busy and delivered everyone plenty of work to do this holiday season," said Andrew Storms, director of security at patching specialists nCircle. "All but one of the bulletins affect client-side applications and include all the usual suspects: IE, Office, ActiveX and GDI.

"Given the number of client side bugs with Microsoft products just patched, everyone should expect the attackers to celebrate the holiday season in their attack strategies."

Patching of systems will require systems updates, but needs to be carried out regardless of the potential inconvenience because of the heightened risk of phishing or malware attacks against unprotected systems, Andrew Clarke, senior vice president at security tools firm Lumension warned.

"Four critical updates (two involving Windows and two Microsoft Word and Excel) affecting four key pieces of software and major applications used within the enterprise, will require reboots to their systems and servers, adding a degree of complexity and disruption to network productivity," Clarke said.

"While it may be tempting to avoid restarting servers and systems especially during this busy time of year, it is imperative that all IT professionals pay particular attention to the critical updates and patch as quickly as business conditions permit." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.