Newsletters
The Enterprise Security Supersite NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Network Security Viruses & Malware Cybercrime Security Solutions More Topics...
Network Security
24/7/365 Network Uptime!
Average Rating:
Rate this article:  
Microsoft Patch Tuesday Brings Critical Fixes, Also for Surface
Microsoft Patch Tuesday Brings Critical Fixes, Also for Surface

By Jennifer LeClaire
November 9, 2012 9:19AM

Bookmark and Share
With another Microsoft Patch Tuesday on the way, we asked security and forensic analyst Paul Henry what IT admins and Windows users need to know. Expect a disruptive Patch Tuesday. "With 6 Microsoft bulletins, 4 of which are critical and some restarts required, along with a host of other issues, IT can expect a disruptive Patch Tuesday this month."
 


Most consumers haven't even received their Microsoft Surface tablets yet. But on Patch Tuesday, Redmond will be rolling out a patch for the Windows 8 RT version of its sleek new portable device.

Microsoft will issue six bulletins to address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, and Microsoft Office. Four of the bulletins are rated critical, one is rated important and one moderate. And Windows 8 RT is included in the mix.

"It doesn't matter if you're still running Windows XP SP3 or Windows 8 -- it's important to sit up, pay attention, and take action whenever Microsoft issues security updates," Graham Cluley, a senior security analyst at Sophos, wrote in a blog post. "And that's a lesson that users of the new Microsoft Surface tablet are going to have to learn as well if they're going to reduce the chances of an Internet attack being successful."

Impacting Current Gen Products

We caught up with Paul Henry, a security and forensic analyst at Lumension, to get his take on the upcoming bulletins. He told us IT admins may find they don't have much to be thankful for this Thanksgiving with a disruptive Patch Tuesday headed their way.

"With 6 Microsoft bulletins, 4 of which are critical and some restarts required, along with a host of other issues, IT can expect a disruptive Patch Tuesday this month," Henry said.

"Right off the top, it's disappointing to see the critical bulletins impacting more than just legacy code as we've come to expect in recent months. These bulletins impact many current generation products and that's concerning. Nothing is ever 100 percent secure and albeit mistakes are made in software. But it's still ugly to see."

Reviewing the Bulletins

Bulletin 1 is an update for IE 9. Henry calls it a pretty standard but critical cumulative IE update as it addresses three vulnerabilities. Although nothing is under active attack, he said it should be considered the highest priority for shops running Windows 7 or Vista.

"Bulletin 5 is an interesting one, because it's a true type font issue. It resolves three vulnerabilities, the worst of which is a remote code execution. Microsoft has been dealing with font issues for a while. True Type Fonts can be embedded all over the place and Windows kernel mode driver renders the font," Henry said.

"If these fonts are embedded in a browser or a Word document, for example, it's rendered in the kernel mode driver and winds up becoming a kernel mode exploit. An authenticated, low-rights user could visit a Web site, the font gets rendered, and it gets rendered as 'system.' This is a very effective attack mode, so Microsoft likes to close out font issues quickly. This is as high a priority as Bulletin 1. Those two bulletins will be the two biggest attack vectors in this batch."

Bulletin 2 addresses two vulnerabilities that are critical remote code executions. This is a Briefcase issue, where you have mapped drives with Briefcase, and Henry classifies it as high priority. Meanwhile, Bulletin 4 affects .Net and fixes Bulletin 5 vulnerabilities in the .Net framework. Bulletin 6 is an Excel vulnerability.

"Bulletin 3 is a moderate update for IIS, which could cause concern. But this is an information disclosure issue via FTP only, so it's only a concern if you have IIS set up to provide FTP services," Henry said. "It's moderate, which typically means attackers have to authenticate to pull off the attack. And we all recognize if they can authenticate, they pretty much own the machine anyway."
 

Tell Us What You Think
Comment:

Name:



Salesforce.com is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.


 Network Security
1.   Banks Hit by Android-Skirting Malware
2.   New Technology Defeats Privacy Efforts
3.   Juniper DDoS for High-IQ Networks
4.   Big DDoS Attacks Hit Record in 2014
5.   Can Google Stop Zero Day Flaws?


advertisement
Android SMS Worm on the Loose
Malware lets bad actors cash in.
Average Rating:
Banks Hit by Android-Skirting Malware
34 institutions, four European countries
Average Rating:
New Technology Defeats Privacy Efforts
Study identifies 3 browser techniques.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
34 European Banks Hit by Android-Skirting Malware
Criminals have been finding gaping holes in Android-based two-factor authentication systems that banks around the world are using. The result: 34 banks in four European countries have been hit.
 
New Web Tracking Technologies Defeat Privacy Protections
Recently developed Web tracking tools are able to circumvent even the best privacy defenses, according to a new study by researchers at Princeton and the University of Leuven in Belgium.
 
Juniper DDoS Solution Aims at High-IQ Networks
In the face of more complex attacks, Juniper Networks is boosting its DDoS Secure solution to help companies mitigate the threats with more effective security intelligence throughout the network fabric.
 

Mobile Technology Spotlight
Nvidia Revamps Shield as an Android Game Tablet
Going after hardcore PC gamers, Nvidia is releasing a gaming-focused tablet that works with a controller. The Shield Tablet follows the Shield Portable gaming handheld Nvidia released last year.
 
Apple Patent for Smart Watch Comes to Light
Does a new smart watch patent issued to Apple provide a preview of the expected wearable from the tech giant? Some Apple-watchers are parsing the patent for signs of the coming product.
 
Will iPhone 6 Cannibalize Apple's Tablet Sales?
Could Apple’s iPhone 6 -- it’s so-called super-size phone due to hit store shelves this fall -- come back to haunt the smartphone maker? Some observers say yes; others say preposterous.
 

Navigation
Enterprise Security Today
Home/Top News | Network Security | Viruses & Malware | Cybercrime | Security Solutions | Mobile Security | Disaster Recovery | Windows Security
Data Security | EST Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.