Enjoy the weekend, sysadmins: Next Tues fixes 33 Microsoft bugs
Including IE8 remote code execution hole that pwned US nuke lab
Microsoft has promised to fix a high-profile vulnerability in Internet Explorer 8, among other holes, in this month's Patch Tuesday rollout of security updates.
In all, next week's bucket of upgrades will address 33 bugs in a range of Redmond software. The flaws have been grouped into 10 sets of holes: two marked critical and eight important.
The critical updates kill off vulnerabilities in Internet Explorer that allow miscreants to remotely execute malicious code on victims' machines: one will paper over flaws uncovered during the Pwn2Own hacking competition at CanSecWest in March. This update affects all versions of the web browser from IE6 to IE10 on all Windows operating systems from XP to Win8, including RT.
The other critical update fixes a vulnerability specific to Internet Explorer 8. It is believed computers used by the nuclear weapons research teams at the US Department of Labor were compromised by websites exploiting this browser hole on 1 May. The attack code has since surfaced elsewhere on the web and bundled into the infosec Swiss army knife Metasploit.
Microsoft's security gnomes developed and tested a fix for the IE8 bug in less than two weeks, which is a much faster turnaround than normal. This speed reflects Redmond's recognition of the seriousness of the flaw.
Meanwhile, three of the important security updates cover remote code execution vulnerabilities in the Microsoft Office suite - including the widely deployed Word 2003 and Word Viewer, as noted by cloud security firm Qualys.
The other five important patches fix denial-of-service and "spoofing" bugs in Windows and the .NET software framework; improper disclosure of sensitive system information in Office and Windows Essentials; and an elevation of privilege glitch in Windows.
Microsoft's advanced warning of May's upcoming patch rollout is here.
And it wouldn't be a security upgrade article without this special guest...
Next Tuesday will also mark the arrival of Adobe Reader, Acrobat and ColdFusion security updates.
The upcoming Reader and Acrobat security fix is a cross-platform update for users of Adobe's ubiquitous PDF reading software on Mac OS X, Linux and Windows PCs. The update is only critical for users of Reader/Acrobat 9.5.4 and earlier 9.x versions on Windows PCs. Reader/Acrobat X and XI on Windows still need to be patched, but only to defend against a lesser security threat. The same advice goes for Adobe Reader/Acrobat users on Mac and Linux boxes, whichever version they are running. All this is noteworthy because exploiting Reader/Acrobat vulnerabilities has been a staple of hacking attacks for several years.
ColdFusion, Adobe's web application development platform, is less often targeted. However, an update for Adobe ColdFusion 10 and earlier versions for Windows, Macintosh and Unix systems addresses a zero-day vulnerability that has reportedly been packed into an exploit - and is therefore more pressing than might otherwise be the case. The vulnerability (CVE-2013-3336) creates a potential means for hackers to remotely retrieve files stored on a ColdFusion server. ®