Feeds

Black Tuesday patchfest: A lot of digits plug security dykes

Adobe joins Redmond in game of vuln Twister

Intelligent flash storage arrays

Microsoft carried out a fairly comprehensive spring cleaning of vulnerabilities on Tuesday, fixing 20 vulnerabilities with seven bulletins, four of which are rated critical.

Heading the critical list is an update for Internet Explorer (MS13-021) that tackles nine vulnerabilities, including a zero-day vulnerability in IE 8.

"This bulletin alone composes almost half of the vulnerabilities addressed this month," said Marc Maiffret, CTO at BeyondTrust. "Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers."

IE was the subject of two bulletins in February and one in March. Further updates in April are likely as a result of flaws uncovered at the recent Pwn2Own competition at CanSecWest, according to Maiffret.

"It does not appear that the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month," he says.

Both Mozilla and Google pushed browser updates within hours of their browser software getting turned over during Pwn2Own.

Other critical updates from Microsoft grapple with remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight vuln is potentially capable of lending itself to a drive-by-download style attack, while the Visio Viewer flaw is more a risk when it comes to opening malicious email attachments.

Last on the critical list are updates for Microsoft's SharePoint server software that cover three elevation-of-privilege vulnerabilities and a denial of service vulnerability.

The patch batch also addresses less serious ("important") security bugs in OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026), both involving information disclosure vulnerabilities.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers.

"These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine," Maiffret explains. French exploit brokers Vupen noted that despite its limitation the flaw might be handy for Stuxnet-style attackers.

Redmond's March Black Tuesday announcement is here. A graphical overview on the updates from the SANS Institute's Internet Storm Centre is here.

Tuesday also marked the release by Adobe of a new version of Flash player, which addresses four critical vulnerabilities.

"Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible," notes Wolfgang Kandek, CTO of Qualys in a blog post. He also offers commentary on the Microsoft updates.

El Reg's security desk notes that Adobe has now patched Flash FOUR times in less than FIVE weeks, since updates on February 7. This is irksome because Flash is a prime target for targeted attacks and asking consumers or corporate users to turn it off, like Java in the browser, isn't easy because the technology is so widely used on the web.

Internet Explorer 10 on Windows 8 enables Flash content to be handled by default, following recent changes by Microsoft, a change that reflects wider changes on the web as much as anything. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.