Feeds

Windows, Office zero-day vuln must wait for next Patch Tuesday, says MS

November's updates promise relief for critical IE and Windows bugs

SANS - Survey on application security programs

Microsoft is lining up eight bulletins for the November edition of patch Tuesday (12 November), including three critical fixes, but there's no relief in sight for a zero-day vulnerability in how Office handles .TIFF graphics files.

Hackers are exploiting a zero-day vulnerability in a graphics library that is used by Microsoft Office and older versions of Windows in a targeted attack, as revealed by The Register this week. There is no patch available for this, and nothing is scheduled to arrive next Tuesday.

However, Redmond's security gnomes have at least issued a workaround to defend against possible attacks that works by disabling TIFF rendering in the affected graphics library. TIFF is a format used frequently when scanning documents and in the publishing industry.

A comprehensive patch against the vulnerability, which only surfaced last week, will probably have to wait until December.

In the meantime there's November's eight-strong bulletin to consider, which covers flaw in both Windows and Microsoft Office software. The three “critical” bulletins affect IE and Windows, with the remaining five "important" bulletins affecting Office and Windows.

“All of the critical bulletins and one of the important bulletins result in a remote code execution and should be prioritised higher," explains Wolfgang Kandek, CTO of cloud security firm Qualys, in a blog post. "The rest of the important bulletins result in the elevation of privileges or a denial of service condition.”

Microsoft's pre-release advisory - which leaves out details of the vulnerabilities to be addressed pending their release next Tuesday - is here.

Ross Barrett, senior manager of security engineering at Rapid7, said November's medium to lightweight Patch Tuesday is likely to provoked mixed feelings among sysadmins.

"The November Patch Tuesday Advance Bulletin is out and I think everyone is breathing a sigh of both relief and frustration," Barrett commented. "Relief because for the first time in a few months, this is a relatively straightforward Patch Tuesday, with fixes for most Windows versions, the ever-present IE roll up patch, and some Office components, but nothing esoteric or difficult to patch. No SharePoint plugins, no complicated .NET patching, no esoteric office extensions."

"There is frustration because according to the MSRC blog, this round of patches does not include a fix for the recently published, exploited in the wild Office vulnerability described in Microsoft Security Advisory 2896666." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.