Date:11/05/12
Microsoft's latest monthly patch release includes three critical software fixes, including one for a vulnerability in Microsoft Office that the firm said could allow remote code execution if a user opens a specially crafted RTF file.
"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," the bulletin said.
According to Wolfgang Kandek, CTO at security solution provider Qualys, it is the most critical bulletin "as [the vulnerability] can be used to gain control of an end-user's machine without requiring interaction".
The second critical update is for Microsoft Office, Windows, .NET Framework, and Silverlight and addresses a total of 10 vulnerabilities.
Kandek explained why the update applied to a broad selection of Microsoft software.
"In December of 2011, Microsoft issued a bulletin that patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware.
"After the fix was delivered, Microsoft's internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft's other software packages and found multiple products that contained the flawed code. [This bulletin] now provides the patches necessary to address these vulnerabilities," he said.
Kandek emphasised that Qualys is not aware of any malware that currently exploits this issue.
The third critical update is to fix a vulnerability in the .NET Framework that could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XBAPs, a Microsoft browser-based application delivery format.
"It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the intranet zone of the target," said Kandek.
Of the remaining four important bulletins, Qualys recommends users to focus on the Excel and Visio security fixes.
"Both are file-format vulnerabilities that allow an attacker to take control of the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year's data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing email that can trick a percentage of the emails recipients into opening such a file," Kandek explained.
The software patches can be downloaded here.
Microsoft releases critical security update
Microsoft's latest monthly patch release includes three critical software fixes, including one for a vulnerability in Microsoft Office that the firm said could allow remote code execution if a user opens a specially crafted RTF file."An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," the bulletin said.
According to Wolfgang Kandek, CTO at security solution provider Qualys, it is the most critical bulletin "as [the vulnerability] can be used to gain control of an end-user's machine without requiring interaction".
The second critical update is for Microsoft Office, Windows, .NET Framework, and Silverlight and addresses a total of 10 vulnerabilities.
Kandek explained why the update applied to a broad selection of Microsoft software.
"In December of 2011, Microsoft issued a bulletin that patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware.
"After the fix was delivered, Microsoft's internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft's other software packages and found multiple products that contained the flawed code. [This bulletin] now provides the patches necessary to address these vulnerabilities," he said.
Kandek emphasised that Qualys is not aware of any malware that currently exploits this issue.
The third critical update is to fix a vulnerability in the .NET Framework that could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XBAPs, a Microsoft browser-based application delivery format.
"It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the intranet zone of the target," said Kandek.
Of the remaining four important bulletins, Qualys recommends users to focus on the Excel and Visio security fixes.
"Both are file-format vulnerabilities that allow an attacker to take control of the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year's data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing email that can trick a percentage of the emails recipients into opening such a file," Kandek explained.
The software patches can be downloaded here.
Views: 973
©ictnews.az. All rights reserved.
Similar news
- Mobile operators of national market to reduce roaming tariffs
- Iran vows to unplug Internet
- China Targeting Telecoms in Corruption Probe
- Bangladesh to use electronic voting system for next elections
- Philippine IT sector to launch five-year digital strategy plan
- Russian Premier Vladimir Putin meets ITU Secretary-General Hamadoun Touré
- US lawmakers propose to regulate use of geolocation data
- Unlimited mobile data plans dying as telcos gear up for cloud future
- Europe at risk of falling behind US and Asia on 4G use
- Netherlands first to regulate on net neutrality
- Korean Co Takes Aim At Display Patents
- Regulators, Banks Look for IT Hires After Breakdowns
- Electron transactions spreading
- Schools in remote rural areas will connect to the single database via network without SIM
- Obama to Personally Tweet From Twitter Account
