Feeds

Black Tuesday patchfest: A lot of digits plug security dykes

Adobe joins Redmond in game of vuln Twister

Security for virtualized datacentres

Microsoft carried out a fairly comprehensive spring cleaning of vulnerabilities on Tuesday, fixing 20 vulnerabilities with seven bulletins, four of which are rated critical.

Heading the critical list is an update for Internet Explorer (MS13-021) that tackles nine vulnerabilities, including a zero-day vulnerability in IE 8.

"This bulletin alone composes almost half of the vulnerabilities addressed this month," said Marc Maiffret, CTO at BeyondTrust. "Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers."

IE was the subject of two bulletins in February and one in March. Further updates in April are likely as a result of flaws uncovered at the recent Pwn2Own competition at CanSecWest, according to Maiffret.

"It does not appear that the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month," he says.

Both Mozilla and Google pushed browser updates within hours of their browser software getting turned over during Pwn2Own.

Other critical updates from Microsoft grapple with remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight vuln is potentially capable of lending itself to a drive-by-download style attack, while the Visio Viewer flaw is more a risk when it comes to opening malicious email attachments.

Last on the critical list are updates for Microsoft's SharePoint server software that cover three elevation-of-privilege vulnerabilities and a denial of service vulnerability.

The patch batch also addresses less serious ("important") security bugs in OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026), both involving information disclosure vulnerabilities.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers.

"These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine," Maiffret explains. French exploit brokers Vupen noted that despite its limitation the flaw might be handy for Stuxnet-style attackers.

Redmond's March Black Tuesday announcement is here. A graphical overview on the updates from the SANS Institute's Internet Storm Centre is here.

Tuesday also marked the release by Adobe of a new version of Flash player, which addresses four critical vulnerabilities.

"Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible," notes Wolfgang Kandek, CTO of Qualys in a blog post. He also offers commentary on the Microsoft updates.

El Reg's security desk notes that Adobe has now patched Flash FOUR times in less than FIVE weeks, since updates on February 7. This is irksome because Flash is a prime target for targeted attacks and asking consumers or corporate users to turn it off, like Java in the browser, isn't easy because the technology is so widely used on the web.

Internet Explorer 10 on Windows 8 enables Flash content to be handled by default, following recent changes by Microsoft, a change that reflects wider changes on the web as much as anything. ®

Secure remote control for conventional and virtual desktops

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.