Feeds

Black Tuesday patchfest: A lot of digits plug security dykes

Adobe joins Redmond in game of vuln Twister

The Power of One eBook: Top reasons to choose HP BladeSystem

Microsoft carried out a fairly comprehensive spring cleaning of vulnerabilities on Tuesday, fixing 20 vulnerabilities with seven bulletins, four of which are rated critical.

Heading the critical list is an update for Internet Explorer (MS13-021) that tackles nine vulnerabilities, including a zero-day vulnerability in IE 8.

"This bulletin alone composes almost half of the vulnerabilities addressed this month," said Marc Maiffret, CTO at BeyondTrust. "Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers."

IE was the subject of two bulletins in February and one in March. Further updates in April are likely as a result of flaws uncovered at the recent Pwn2Own competition at CanSecWest, according to Maiffret.

"It does not appear that the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month," he says.

Both Mozilla and Google pushed browser updates within hours of their browser software getting turned over during Pwn2Own.

Other critical updates from Microsoft grapple with remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight vuln is potentially capable of lending itself to a drive-by-download style attack, while the Visio Viewer flaw is more a risk when it comes to opening malicious email attachments.

Last on the critical list are updates for Microsoft's SharePoint server software that cover three elevation-of-privilege vulnerabilities and a denial of service vulnerability.

The patch batch also addresses less serious ("important") security bugs in OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026), both involving information disclosure vulnerabilities.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers.

"These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine," Maiffret explains. French exploit brokers Vupen noted that despite its limitation the flaw might be handy for Stuxnet-style attackers.

Redmond's March Black Tuesday announcement is here. A graphical overview on the updates from the SANS Institute's Internet Storm Centre is here.

Tuesday also marked the release by Adobe of a new version of Flash player, which addresses four critical vulnerabilities.

"Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible," notes Wolfgang Kandek, CTO of Qualys in a blog post. He also offers commentary on the Microsoft updates.

El Reg's security desk notes that Adobe has now patched Flash FOUR times in less than FIVE weeks, since updates on February 7. This is irksome because Flash is a prime target for targeted attacks and asking consumers or corporate users to turn it off, like Java in the browser, isn't easy because the technology is so widely used on the web.

Internet Explorer 10 on Windows 8 enables Flash content to be handled by default, following recent changes by Microsoft, a change that reflects wider changes on the web as much as anything. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.