Feeds

Enjoy the weekend, sysadmins: Next Tues fixes 33 Microsoft bugs

Including IE8 remote code execution hole that pwned US nuke lab

The Essential Guide to IT Transformation

Microsoft has promised to fix a high-profile vulnerability in Internet Explorer 8, among other holes, in this month's Patch Tuesday rollout of security updates.

In all, next week's bucket of upgrades will address 33 bugs in a range of Redmond software. The flaws have been grouped into 10 sets of holes: two marked critical and eight important.

The critical updates kill off vulnerabilities in Internet Explorer that allow miscreants to remotely execute malicious code on victims' machines: one will paper over flaws uncovered during the Pwn2Own hacking competition at CanSecWest in March. This update affects all versions of the web browser from IE6 to IE10 on all Windows operating systems from XP to Win8, including RT.

The other critical update fixes a vulnerability specific to Internet Explorer 8. It is believed computers used by the nuclear weapons research teams at the US Department of Labor were compromised by websites exploiting this browser hole on 1 May. The attack code has since surfaced elsewhere on the web and bundled into the infosec Swiss army knife Metasploit.

Microsoft's security gnomes developed and tested a fix for the IE8 bug in less than two weeks, which is a much faster turnaround than normal. This speed reflects Redmond's recognition of the seriousness of the flaw.

Meanwhile, three of the important security updates cover remote code execution vulnerabilities in the Microsoft Office suite - including the widely deployed Word 2003 and Word Viewer, as noted by cloud security firm Qualys.

The other five important patches fix denial-of-service and "spoofing" bugs in Windows and the .NET software framework; improper disclosure of sensitive system information in Office and Windows Essentials; and an elevation of privilege glitch in Windows.

Microsoft's advanced warning of May's upcoming patch rollout is here.

And it wouldn't be a security upgrade article without this special guest...

Next Tuesday will also mark the arrival of Adobe Reader, Acrobat and ColdFusion security updates.

The upcoming Reader and Acrobat security fix is a cross-platform update for users of Adobe's ubiquitous PDF reading software on Mac OS X, Linux and Windows PCs. The update is only critical for users of Reader/Acrobat 9.5.4 and earlier 9.x versions on Windows PCs. Reader/Acrobat X and XI on Windows still need to be patched, but only to defend against a lesser security threat. The same advice goes for Adobe Reader/Acrobat users on Mac and Linux boxes, whichever version they are running. All this is noteworthy because exploiting Reader/Acrobat vulnerabilities has been a staple of hacking attacks for several years.

ColdFusion, Adobe's web application development platform, is less often targeted. However, an update for Adobe ColdFusion 10 and earlier versions for Windows, Macintosh and Unix systems addresses a zero-day vulnerability that has reportedly been packed into an exploit - and is therefore more pressing than might otherwise be the case. The vulnerability (CVE-2013-3336) creates a potential means for hackers to remotely retrieve files stored on a ColdFusion server. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.