Patch Windows boxes NOW – unless you want to be owned by a web page or network packet
Someone, come up with a catchy logo for this SSL hole
"Remote code execution if an attacker sends specially crafted packets" is not what many of you want to hear today – nor "remote code execution if a user views a specially crafted webpage using Internet Explorer" – but it's Patch Tuesday, so what do you expect?
Microsoft has issued a batch of security fixes for Internet Explorer, Windows, and Office software – all of which are vulnerable to hijacking from afar by spies, criminals and other miscreants.
Here's a summary of the four "critical" patches this month; the top one is super critical or, if you will, Heartbleed critical:
- Secure Channel: This component of Windows provides things like SSL encryption, and allows a hacker to execute malicious code on a vulnerable system by sending specially crafted network packets to the machine (CVE-2014-6321). It affects all supported releases of Windows – from Server 2003 to Windows 8. The attacker does not have to be logged in. Luckily, the flaw has not (yet) been exploited in the wild, Microsoft says. The patch also adds some new TLS cipher suites.
- Windows OLE: Remote-code execution as the logged-in user if you trick a victim into opening a specially crafted web page in Internet Explorer (CVE-2014-6332). This flaw is not (yet) being exploited in the wild, but affects all supported versions of Windows.
- Internet Explorer: Again, remote-code execution as the logged-in user using a specially crafted web page (many CVEs). These flaws affect various supported versions of Internet Explorer. Some of the bugs merely leak information or allow an attacker to bypass security protections, namely ASLR.
- Windows XML Core Services: Remote-code execution as the logged-in user if you trick a victim into opening a specially crafted web page in Internet Explorer (CVE-2014-4118). "In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website," Microsoft notes.
The remaining fixes include eight patches for vulnerabilities rated by Microsoft as "important" security risks – but yet allow an attacker to elevate his or her privileges or execute code remotely, which could be chained, or used in combination with the above critical vulns, to run code as an administrator on a Windows box from afar.
Finally, two more patches were listed as splatting "moderate" bugs.
Never one to be outdone by Redmond, Adobe has pushed out its own crop of Patch Tuesday updates. The Photoshop giant released a set of Flash Player fixes that squash four pretty bad flaws. ®