Feeds

Clear next Tues: Incoming Outlook, IE, Windows critical security patches

Maybe the NSA doesn't need those remote execution holes any more

Website security in corporate America

Microsoft will squash 14 sets of security vulnerabilities - four of which are deemed critical - in the next edition of its monthly batch of Patch Tuesday updates, due next week.

Those four critical patches will address flaws in the Sharepoint server software, the Outlook component of Microsoft Office 2007 and 2010, Internet Explorer (versions 6, 7 and 8) and older versions of Windows (XP and Server 2003). All four critical bugs, plus four "important" ones, allow attackers to remotely execute code on a vulnerable system.

In fact, besides those four critical holes, all the remaining 10 so-called bulletins are rated "important". Redmond is holding off details on the vulnerabilities pending the delivery of fixes this coming Tuesday, so for now we only know which software packages are due to be fixed without knowing why they need updating.

Ziv Mador, director of security research at infosec firm Trustwave, said: "This month Microsoft continues the recent tradition of large Patch Tuesday with fourteen bulletins this month. No less than eight of them are categorised as remote code execution but only four of them are rated as critical."

In the first three quarters of 2013, Microsoft has issued 80 security patches, well ahead of the 63 released in the nine months to September 2012. "The increased numbers come from the important [bugs], not the critical [vulnerabilities]," notes Paul Henry, a security and forensics analyst at Lumension. "Microsoft told us this would be the case this year."

The vulnerability in Microsoft Office 2007 and 2010, which "can be triggered simply by previewing an email in Outlook, even without explicitly opening the email", obviously needs to be patched as soon as possible. The Internet Explorer fixes also need to be rushed through.

Microsoft's prerelease announcement can be found here. Additional comment from Wolfgang Kandek, CTO at cloud security firm Qualys, is here.

Tuesday will also mark the delivery of a critical update for Adobe's Reader and Acrobat PDF software packages. Adobe Reader/Acrobat XI (11.0.03) and earlier versions for Windows and Mac OS X as well as Adobe Reader/Acrobat X (10.1.7) and earlier 10.x for Windows and OS X will all need updating, as explained in an advisory by Adobe here. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.