Tag: vulnerability
October 15, 2009 by
Jason
On October 13th, 2009, Microsoft started serving to Windows users patches for no less than 34 vulnerabilities, releasing the most security bulletins in the company’s history. The 13 security bulletins made available are designed to offer fixes for a range of security issues affecting Windows, Internet Explorer, Silverlight, Microsoft Office, Developer Tools, Forefront and SQL Server. Microsoft underlined that, despite the large number of patches, all security updates had been thoroughly tested, and only received the green light for broad release once they met specific quality standards.
Out of the total 13 security bulletins released, eight have received Microsoft’s maximum severity rating, namely Critical, indicating that they are designed to patch severe vulnerabilities that could allow for remote code execution in the eventuality of a successful attack. The remaining six patch packages have all been deemed Important, a less severe rating. However, customers should apply the patches offered by the Redmond company immediately. The simplest way to access the security updates is through Windows Update. Users with Automatic Updates enabled will have all patches automatically downloaded to their machines.
Microsoft revealed that no less than seven security bulletins with a maximum severity rating of Critical out of the total eight also had an exploitability index of 1. The highest possible exploitability index: 1 is indicative of the fact that Microsoft considers the possibility of exploit code becoming available in the wild for the seven flaws extremely likely, perhaps even within the first 30 days since the patches were released. This just in case you needed additional incentive to deploy the security updates. Read More»
Posted in Computer | 1 Comment »
Microsoft released no less than eight security bulletins for the various supported releases of Windows client and server operating systems, including for the latest service packs of Windows Vista and Windows XP. Out of the total of patch packages impacting Windows, half feature a maximum severity rating of Critical, with the remaining four being rated as Important. The security updates are available through Windows Update since August 11, 2009, and customers are advised to deploy the patches as soon as possible in order to bulletproof their systems against attacks.
“Of note, Microsoft released MS09-043 to help protect customers from attacks on the Office Web Components vulnerability previously addressed by Security Advisory 973472. I also wanted to let you know that MS09-037 addresses five privately reported vulnerabilities in Microsoft Active Template Library (ATL). Security Advisory 973882 has been updated with a reference to MS09-037. Additionally, Microsoft has released Security Advisory 973811 to include a non-security update that enables new protection technology on the Windows platform,” revealed Christopher Budd, security response communications lead for Microsoft. Read More»
Posted in Windows Vista, Windows XP | No Comments »
The July 2009 Security Release ISO Image is now available for download from Microsoft, having been offered concomitantly with the company’s monthly patch cycle releases. In addition to serving each month’s security bulletins through Windows Update, the software giant is also packaging the patches aimed for the supported Windows client and server operating system as an ISO image. In this context, customers can now access Windows-related security updates, including for Windows Vista Service Pack 2 and Windows XP SP3 that went live on July 14, 2009, through the DVD5 ISO image package.
“This month we are releasing six bulletins. Three of those affect Windows and are rated Critical. All three of those also have an Exploitability Index rating of ‘1’ which means that we believe that consistent exploit code in the wild is highly likely within the first 30 days,” revealed Jerry Bryant, Microsoft security program manager. “The remaining three bulletins are all rated Important and affect Microsoft Office Publisher, Microsoft ISA Server, and both Virtual PC and Virtual Server. The first two also have Exploitability Index ratings of ‘1’ so please consider this while doing your risk assessment. In total, we are addressing nine vulnerabilities this month.” Read More»
Posted in Windows Vista, Windows XP | No Comments »
It is nothing short of ironic that game password stealing malware is being associated with an exploit designed to target a vulnerability in DirectX. But Microsoft officially confirmed that malicious code designed to harvest account credentials for online games had been detected bundled with exploits targeting the DirectShow vulnerability impacting Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003.
The flaw is Critical, the company warned in May 2009, when it revealed that users executing malicious QuickTime media files were at risk of remote code execution.
“Users, upon visiting a specially constructed web page that invokes the vulnerable media plug-in, will encounter exploit shellcode, which further execute and download additional malware to the infected machines. Intending to bypass antimalware protection, malware binaries are encrypted in the download data stream. New dog, same old tricks. To wrap up the attack scene, under the cover of the new exploits are the old long-lived online-game password stealers: PWS:Win32/Wowsteal.AP (drops PWS:Win32/Wowsteal.AP.dll); TrojanDropper:Win32/Dozmot.C (drops PWS:Win32/Dozmot.C and VirTool:WinNT/Dozmot.A); and TrojanSpy:Win32/Lydra.AE,” revealed Microsoft’s Lena Lin, Cristian Craioveanu, Josh Phillips and Patrick Nolan. Read More»
Posted in Computer | No Comments »
Concomitantly with this month’s security bulletin releases, Microsoft has also made available for download the June 2009 Security Release ISO Image. The ISO image is designed as a package containing all the patches released by Microsoft on June 9th, 2009, but only those plugging vulnerabilities in Windows client and server operating systems. June 2009 was synonymous with the release of no less than 10 new security bulletins. No less than six bulletins impact Windows, Microsoft explained.
“This month’s release addresses 31 total vulnerabilities with 15 rated as “1” on our Exploitability Index, meaning there is a high likelihood that reliable exploit code may be developed in the next 30 days,” stated Jerry Bryant, Sr. security program manager lead.
As it is traditional, Microsoft is offering all security patches designed to resolve vulnerabilities in Windows platforms in a single package. The June 2009 Security Release ISO Image comes to compensate the lack of Windows Server Update Services in IT environments that require security update to be downloaded in multiple individual language versions and then deployed. Read More»
Posted in Windows Vista, Windows XP | 1 Comment »
Many Pctipsbox readers use Firefox because it suffers from fewer security holes than IE and most people don’t need .NET features so I’m publishing in my free column today the following steps to remove Assistant 1.0 from Firefox:
Step 1. Check whether the .NET Framework Assistant is installed. You may or may not have Assistant 1.0, even if you installed .NET Framework 3.5 SP1, so check this first. In Firefox, pull down the Tools menu and select Add-ons. In the Add-ons dialog box that appears, if you don’t see .NET Framework Assistant, the add-on is not installed. In that case, you don’t need to do anything further (except close the dialog box).
Step 2. Remove or disable the add-on. If you do find the extension, I recommend that you remove it to reduce your vulnerability to possible security flaws. Choose one of the options shown below.
• Best option: Install the Microsoft fix. On May 6, with little publicity, Microsoft posted an update for .NET Framework 3.5 SP1. Installing this update enables Firefox’s Uninstall button for the add-on. To install the official update, visit Microsoft’s download page. Read More»
Posted in Firefox | 2 Comments »
December 11, 2008 by
Jason On December 9, Microsoft made available for download the last bouquet of security updates for 2008. the company released no less than eight security bulletins, six of them Critical and two rated as Important. Hot on the heels of the last round of patches for the year hitting Windows Update, the December 2008 Security Release ISO Image went live on the Microsoft Download Center. Via the Security Release ISO Image for the current month, the software giant is providing a single package for all the security updates designed for its Windows client and server operating systems, including Windows Vista Service Pack 1 and Windows XP Service Pack 3.
“As far as vulnerability counts go, this is the largest patch release since Microsoft started the ‘Patch Tuesday’ program back in late 2003. The release contains eight bulletins covering 28 vulnerabilities,” Symantec’s Robert Keith revealed.
“Of those issues, 23 are rated ‘Critical’ and affect Word, Outlook, Internet Explorer, Visual Basic ActiveX controls, GDI, Windows Search, and Excel. All of the ‘Critical’ issues this month require some sort of user interaction, whether visiting a Web page that contains malicious content or viewing a malicious file. The remaining issues affect GDI, Windows Search, SharePoint, and Windows Explorer; they range in importance from ‘Important’ to ‘Moderate.’” Read More»
Posted in Windows Vista, Windows XP | 1 Comment »
November 18, 2008 by
Jason The exploit for a vulnerability affecting the Server Service on all supported versions of Windows has been included in a commercial malware kit, available for sale. MS08-067 is labeled with a maximum severity rating of Critical, and the security bulletin is designed to patch vulnerable Windows operating systems, which could allow for remote code execution via a successful attack involving a specially crafted, malicious RPC request. The vulnerability affects the latest Windows client and server operating systems, including Windows 7, Windows Vista Service Pack 1 and Windows XP Service Pack 3.
“Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his ‘customers,’ using free code from the Internet,” revealed Haowei Ren and Geok Meng Ong, from the McAfee Avert Labs.
The security issue is rated Critical on Windows Server 2004, Windows XP (including SP3), and Windows Server 2003, and just Important on Windows Vista (SP1) and Windows Server 2008. Microsoft made available MS08-067 as an out-of-band release in October 2008. During the same month the company issued the first security patch for Windows 7, designed for the pre-Beta Build 6801 Milestone 3 release. Read More»
Posted in Windows 7 | No Comments »
You invested in dead bolts and alarm systems to protect your business from theft of merchandise and equipment. But a cyber thief does not need access through the front door to steal the information you store on your PCs. Client credit card and bank account numbers, employee data and other confidential files are all at risk in a cyber attack.
Implementing sound security measures can greatly reduce your vulnerability to phishing (a type of Internet-based scam designed to steal your identity), spyware, and other malicious software used to steal or otherwise compromise business data. The good news is that built-in security features in Windows Vista Ultimate make it much easier to safeguard your PCs. Here are three you should know about: Read More»
Posted in Windows Vista | No Comments »
February 06, 2008 by
Jason
Microsoft’s Internet Explorer is without a doubt the main vector of attacks, when it comes down to web-based threats. Its ubiquity, as well as its intimate integration into the Windows platform, makes it an excellent avenue for attacks. With IE6, Microsoft has gained an ill reputation for failing dramatically to protect end users. From IE6, which undoubtedly is an apex of insecurity compared to alternative browsers, the Redmond company moved to Windows Vista and Internet Explorer 7 under User Account Control, virtually cutting the browser from the critical areas of the operating system. Web-based attacks coming via IE7 in Protect Mode will not be able to write themselves to disk without specific user permission, because the browser runs with the very least possible privileges. Read More»
Posted in Internet | No Comments »
Loading ...
