Feeds

Enjoy the weekend, sysadmins: Next Tues fixes 33 Microsoft bugs

Including IE8 remote code execution hole that pwned US nuke lab

Choosing a cloud hosting partner with confidence

Microsoft has promised to fix a high-profile vulnerability in Internet Explorer 8, among other holes, in this month's Patch Tuesday rollout of security updates.

In all, next week's bucket of upgrades will address 33 bugs in a range of Redmond software. The flaws have been grouped into 10 sets of holes: two marked critical and eight important.

The critical updates kill off vulnerabilities in Internet Explorer that allow miscreants to remotely execute malicious code on victims' machines: one will paper over flaws uncovered during the Pwn2Own hacking competition at CanSecWest in March. This update affects all versions of the web browser from IE6 to IE10 on all Windows operating systems from XP to Win8, including RT.

The other critical update fixes a vulnerability specific to Internet Explorer 8. It is believed computers used by the nuclear weapons research teams at the US Department of Labor were compromised by websites exploiting this browser hole on 1 May. The attack code has since surfaced elsewhere on the web and bundled into the infosec Swiss army knife Metasploit.

Microsoft's security gnomes developed and tested a fix for the IE8 bug in less than two weeks, which is a much faster turnaround than normal. This speed reflects Redmond's recognition of the seriousness of the flaw.

Meanwhile, three of the important security updates cover remote code execution vulnerabilities in the Microsoft Office suite - including the widely deployed Word 2003 and Word Viewer, as noted by cloud security firm Qualys.

The other five important patches fix denial-of-service and "spoofing" bugs in Windows and the .NET software framework; improper disclosure of sensitive system information in Office and Windows Essentials; and an elevation of privilege glitch in Windows.

Microsoft's advanced warning of May's upcoming patch rollout is here.

And it wouldn't be a security upgrade article without this special guest...

Next Tuesday will also mark the arrival of Adobe Reader, Acrobat and ColdFusion security updates.

The upcoming Reader and Acrobat security fix is a cross-platform update for users of Adobe's ubiquitous PDF reading software on Mac OS X, Linux and Windows PCs. The update is only critical for users of Reader/Acrobat 9.5.4 and earlier 9.x versions on Windows PCs. Reader/Acrobat X and XI on Windows still need to be patched, but only to defend against a lesser security threat. The same advice goes for Adobe Reader/Acrobat users on Mac and Linux boxes, whichever version they are running. All this is noteworthy because exploiting Reader/Acrobat vulnerabilities has been a staple of hacking attacks for several years.

ColdFusion, Adobe's web application development platform, is less often targeted. However, an update for Adobe ColdFusion 10 and earlier versions for Windows, Macintosh and Unix systems addresses a zero-day vulnerability that has reportedly been packed into an exploit - and is therefore more pressing than might otherwise be the case. The vulnerability (CVE-2013-3336) creates a potential means for hackers to remotely retrieve files stored on a ColdFusion server. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.