Feeds

Black Tuesday patchfest: A lot of digits plug security dykes

Adobe joins Redmond in game of vuln Twister

Security for virtualized datacentres

Microsoft carried out a fairly comprehensive spring cleaning of vulnerabilities on Tuesday, fixing 20 vulnerabilities with seven bulletins, four of which are rated critical.

Heading the critical list is an update for Internet Explorer (MS13-021) that tackles nine vulnerabilities, including a zero-day vulnerability in IE 8.

"This bulletin alone composes almost half of the vulnerabilities addressed this month," said Marc Maiffret, CTO at BeyondTrust. "Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers."

IE was the subject of two bulletins in February and one in March. Further updates in April are likely as a result of flaws uncovered at the recent Pwn2Own competition at CanSecWest, according to Maiffret.

"It does not appear that the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month," he says.

Both Mozilla and Google pushed browser updates within hours of their browser software getting turned over during Pwn2Own.

Other critical updates from Microsoft grapple with remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight vuln is potentially capable of lending itself to a drive-by-download style attack, while the Visio Viewer flaw is more a risk when it comes to opening malicious email attachments.

Last on the critical list are updates for Microsoft's SharePoint server software that cover three elevation-of-privilege vulnerabilities and a denial of service vulnerability.

The patch batch also addresses less serious ("important") security bugs in OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026), both involving information disclosure vulnerabilities.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers.

"These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine," Maiffret explains. French exploit brokers Vupen noted that despite its limitation the flaw might be handy for Stuxnet-style attackers.

Redmond's March Black Tuesday announcement is here. A graphical overview on the updates from the SANS Institute's Internet Storm Centre is here.

Tuesday also marked the release by Adobe of a new version of Flash player, which addresses four critical vulnerabilities.

"Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible," notes Wolfgang Kandek, CTO of Qualys in a blog post. He also offers commentary on the Microsoft updates.

El Reg's security desk notes that Adobe has now patched Flash FOUR times in less than FIVE weeks, since updates on February 7. This is irksome because Flash is a prime target for targeted attacks and asking consumers or corporate users to turn it off, like Java in the browser, isn't easy because the technology is so widely used on the web.

Internet Explorer 10 on Windows 8 enables Flash content to be handled by default, following recent changes by Microsoft, a change that reflects wider changes on the web as much as anything. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.