Numerous flaws were addressed via patches Tuesday by Microsoft.
The company also addressed at least 15 other flaws in its software, and urged customers to quit using the desktop Sidebar and Gadget capabilities offered in Windows 7 and Windows Vista.
By far the most urgent of the updates is MS12-043, which fixes a critical vulnerability in Microsoft XML Core Services that miscreants and malware alike have been using to break into vulnerable systems. Microsoft had already warned about limited, targeted attacks using this flaw, but late last month an exploit built to attack the XML bug was added to the BlackHole Exploit Kit, an automated browser exploit tool that is very popular in the criminal underground right now.
Other critical patch bundles include a fix for a dangerous flaw in the Microsoft Data Access Components (MDAC) of Windows, and an update to address a pair of vulnerabilities in Internet Explorer.
Microsoft also released a FixIt tool to help network administrators block the use of Gadgets and the Sidebar on Windows 7 and Windows Vista systems. “We’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run,” Microsoft said in a blog posting, without offering much more detail about any specific findings.
- Bad week for Microsoft as security fails and cyber threats increase (seshippingnews.typepad.com)
- Security flaws signal early death of Windows Gadgets (zdnet.com)
- Microsoft patches critical drive-by IE9 bug, Windows zero-day (techworld.com.au)
This potentially increases the risk for widespread attacks.
Meanwhile, the German federal security agency issued a statement on Friday urging its citizens to use an alternative browser to IE until a patch arrives.
“We still only see limited targeted attacks affecting Internet Explorer 6,” Jerry Bryant, senior security program manager lead at the Microsoft Security Response Center, said in a statement. “While newer versions of Internet Explorer are affected by this vulnerability, mitigations exist that make exploitation much more difficult.”
McAfee researchers have seen references to the code on mailing lists and confirmed that it has been published on at least one Web site, the company’s Chief Technology Officer George Kurtz wrote in his blog. “The exploit code is the same code that McAfee Labs had been investigating and shared with Microsoft earlier this week,” he said.
“The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability,” Kurtz wrote. “The now-public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems. Popular penetration testing tools are already being updated to include this exploit.”
While IE 6 was running on the computers attacked, all versions are vulnerable.
Microsoft issued a warning on Thursday about the new hole and said it was working on a patch. The vulnerability affects IE 6, 7 and 8 on all the modern versions of Windows, including Windows 7, according to Microsoft’s advisory. Microsoft said IE 6 was the browser version being used on the computers that were targeted in the attacks. (Source: CNET)
Related articles by Zemanta
Will a new iPhone be announced today? – http://www.cnn.com/2009…
Internet advertising slumps in first quarter – http://news.cnet.com/8301-10…
Down Under gets first dibs on Windows 7 – http://news.cnet.com/8301-10…
Why Writers and Bloggers Should not Rely on the Internet – http://www.problogger.net/archive…
Intel ‘Braidwood’ chip targets snappier software – http://news.cnet.com/8301-13…
Federal Trade Commission shuts down rogue ISP – http://news.cnet.com/8301-10…
Scammers using search optimization on Twitter, Google – http://news.cnet.com/8301-10…