Microsoft has released three security bulletins, covering 11 vulnerabilities, with one rated as Critical and the other two, as Important.
The first one is the MS10-087, which resolves five issues – one public and four private, affecting all currently supported Microsoft Office products.
This security update is rated Critical for Microsoft Office 2007 and Microsoft Office 2010, due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file.
It is also rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011, as well as Open XML File Format Converter for Mac. More »
While a vulnerability does exist in the latest Windows client and server platforms with Aero enabled, actually getting exploit code to work and performing successful attacks are not likely to happen. Microsoft downplayed the risk users of Windows 7 64-bit, Windows Server 2008 R2 for 64-bit systems and Windows Server 2008 R2 Itanium systems were exposed to, indicating that the new zero-day, for which details had been disclosed in the wild, was extremely hard to exploit. At the same time, the Redmond company underlined that it was not aware of any attacks targeting the flaw, or of exploit code capable of reaching execution.
Jerry Bryant, group manager, Response Communications, Microsoft, revealed that the new security hole resided in the Windows Canonical Display Driver (cdd.dll). Microsoft has already published Security Advisory 2028859, informing customers of the issue and offering advice on how to stay protected until a patch is offered. More »
As it does every month, Microsoft has built an ISO image packaging all the security updates it released for supported versions of the Windows client and server operating systems via its monthly patch cycle.
The latest release, namely the February 2010 Security Release ISO Image, brings to the table the Windows patches offered on February 9th through the Windows Update and Microsoft Update for Windows 7 and Windows Server 2008 R2, but also older releases of the OS, such as Windows Vista and Windows XP.
Just a few days ago, the Redmond company released no less than 13 security bulletins patching a total of 26 vulnerabilities in Windows and Office. A total of 11 patch packages were designed to plug security holes in Windows. “As always, it is recommended that customers deploy all security updates as soon as possible.
Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (‘Consistent Exploit Code Likely’),” Jerry Bryant, Sr. Security communications manager – lead, revealed. More »
On October 13th, 2009, Microsoft started serving to Windows users patches for no less than 34 vulnerabilities, releasing the most security bulletins in the company’s history. The 13 security bulletins made available are designed to offer fixes for a range of security issues affecting Windows, Internet Explorer, Silverlight, Microsoft Office, Developer Tools, Forefront and SQL Server. Microsoft underlined that, despite the large number of patches, all security updates had been thoroughly tested, and only received the green light for broad release once they met specific quality standards.
Out of the total 13 security bulletins released, eight have received Microsoft’s maximum severity rating, namely Critical, indicating that they are designed to patch severe vulnerabilities that could allow for remote code execution in the eventuality of a successful attack. The remaining six patch packages have all been deemed Important, a less severe rating. However, customers should apply the patches offered by the Redmond company immediately. The simplest way to access the security updates is through Windows Update. Users with Automatic Updates enabled will have all patches automatically downloaded to their machines.
Microsoft revealed that no less than seven security bulletins with a maximum severity rating of Critical out of the total eight also had an exploitability index of 1. The highest possible exploitability index: 1 is indicative of the fact that Microsoft considers the possibility of exploit code becoming available in the wild for the seven flaws extremely likely, perhaps even within the first 30 days since the patches were released. This just in case you needed additional incentive to deploy the security updates. More »
Confronted with increasingly bulletproofed Windows operating systems, the threat environment shifted toward targeting vulnerabilities in the code designed to run on top of the platform. With security enhancements such as User Account Control, Address Space Layout Randomization, Kernel Patch Protection and driver signing, but also with the new development methodology set in place via the Microsoft Security Development Lifecycle, vulnerabilities in Windows Vista and its successor Windows 7 have become harder to exploit, in the eventuality that attackers do come across critical security holes.
The biggest advantage in terms of security Vista and Windows 7 have over precursor Windows clients is the Security Development Lifecycle. And with the threat environment changing focus onto third-party Windows applications, Microsoft is ready to share the SDL secrets with third-party developers. An illustrative example in this regard is the Microsoft Security Development Lifecycle (SDL): Developer Starter Kit.
“The Microsoft SDL – Developer Starter Kit offers content, labs, and training to help you establish a standardized approach to rolling out the Microsoft Security Development Lifecycle (SDL) in your organization—or enrich your existing development practices,” Microsoft revealed.