Feeds

Zero-day fixes star in MS Patch Tuesday

More of the same to come

Internet Security Threat Report 2014

Microsoft released six bulletins - three covering critical flaws - on Tuesday as part of its monthly Patch Tuesday update cycle.

The releases address two unpatched zero bugs (involving DirectShow and Microsoft Video) that have become the target of hacking attacks over recent weeks but offers only mitigation against a problem with Office Web Components, disclosed on Monday. The third critical vulnerability addressed on Tuesday also involves a vulnerable Windows component, specifically the OpenType Font Engine.

The three other bulletin address lesser "important" risks involving the ISA 2006 proxy server, the Publisher component in the MS Office 2007 suite and Microsoft virtualisation server.

Many of the vulnerabilities tackled by the updates lend themselves to exploitation simply by tricking Windows into visiting a maliciously constructed web site or opening a booby-trapped Office document.

Andrew Storms, director of security operations at security and compliance firm nCircle, commented: "Microsoft has released updates that address two of three critical zero-day exploits this month. We can, however, anticipate a more complete patch for ActiveX later, since today's update from Microsoft only issues a killbit on the ActiveX control."

"Essentially, Microsoft opted to disable the functionality... but hasn't fixed the underlying vulnerability," he added.

The Internet Storm Centre's summary of July's releases can be found here. Microsoft bulletin is here.

Microsoft's bulletin on Tuesday coincided with the latest edition of Oracle's quarterly update, making it an extremely busy day for sys admins. Oracle's update contains 30 security fixes across its full range of products as outlined here. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.