Feeds

Enjoy the weekend, sysadmins: Next Tues fixes 33 Microsoft bugs

Including IE8 remote code execution hole that pwned US nuke lab

Next gen security for virtualised datacentres

Microsoft has promised to fix a high-profile vulnerability in Internet Explorer 8, among other holes, in this month's Patch Tuesday rollout of security updates.

In all, next week's bucket of upgrades will address 33 bugs in a range of Redmond software. The flaws have been grouped into 10 sets of holes: two marked critical and eight important.

The critical updates kill off vulnerabilities in Internet Explorer that allow miscreants to remotely execute malicious code on victims' machines: one will paper over flaws uncovered during the Pwn2Own hacking competition at CanSecWest in March. This update affects all versions of the web browser from IE6 to IE10 on all Windows operating systems from XP to Win8, including RT.

The other critical update fixes a vulnerability specific to Internet Explorer 8. It is believed computers used by the nuclear weapons research teams at the US Department of Labor were compromised by websites exploiting this browser hole on 1 May. The attack code has since surfaced elsewhere on the web and bundled into the infosec Swiss army knife Metasploit.

Microsoft's security gnomes developed and tested a fix for the IE8 bug in less than two weeks, which is a much faster turnaround than normal. This speed reflects Redmond's recognition of the seriousness of the flaw.

Meanwhile, three of the important security updates cover remote code execution vulnerabilities in the Microsoft Office suite - including the widely deployed Word 2003 and Word Viewer, as noted by cloud security firm Qualys.

The other five important patches fix denial-of-service and "spoofing" bugs in Windows and the .NET software framework; improper disclosure of sensitive system information in Office and Windows Essentials; and an elevation of privilege glitch in Windows.

Microsoft's advanced warning of May's upcoming patch rollout is here.

And it wouldn't be a security upgrade article without this special guest...

Next Tuesday will also mark the arrival of Adobe Reader, Acrobat and ColdFusion security updates.

The upcoming Reader and Acrobat security fix is a cross-platform update for users of Adobe's ubiquitous PDF reading software on Mac OS X, Linux and Windows PCs. The update is only critical for users of Reader/Acrobat 9.5.4 and earlier 9.x versions on Windows PCs. Reader/Acrobat X and XI on Windows still need to be patched, but only to defend against a lesser security threat. The same advice goes for Adobe Reader/Acrobat users on Mac and Linux boxes, whichever version they are running. All this is noteworthy because exploiting Reader/Acrobat vulnerabilities has been a staple of hacking attacks for several years.

ColdFusion, Adobe's web application development platform, is less often targeted. However, an update for Adobe ColdFusion 10 and earlier versions for Windows, Macintosh and Unix systems addresses a zero-day vulnerability that has reportedly been packed into an exploit - and is therefore more pressing than might otherwise be the case. The vulnerability (CVE-2013-3336) creates a potential means for hackers to remotely retrieve files stored on a ColdFusion server. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.