Posts Tagged: Joshua Talbot


9
Nov 10

Microsoft Plugs Office Holes, But No IE Fix Yet

Microsoft Corp. today issued three bundles of updates fixing at least 11 security vulnerabilities in its software, mainly flaws in Microsoft Office products. But the company did not release an update today to remedy  a critical flaw built into in all versions of the Internet Explorer Web browser that is now being exploited by at least one common, automated hacker toolkit.

Two of the updates address Office bugs, including one that is limited to older versions of PowerPoint and PowerPoint Viewer. Only one of today’s patches earned a “critical” rating, Microsoft’s most serious. But experts are warning that this critical Office vulnerability is likely to be used in targeted e-mail attacks against Microsoft Outlook users.

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious email to be infected,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “All that is required is for the content of the email to appear in Outlook’s Reading Pane. If a user highlights a malicious email to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the Reading Pane by default and the computer will be infected.”

Microsoft did not issue an update to fix a zero-day flaw in Internet Explorer that bad guys are exploiting to break into Windows computers. Last week, the software giant warned that crooks were exploiting the flaw in targeted attacks, and that it had no intention of issuing a fix for the security hole outside of its normal monthly patching process (the second Tuesday of each month — today — is Patch Tuesday).

Since that advisory, the IE exploit has been bundled into the Eleonore Exploit pack, a powerful and widely-used commercial crimeware kit that makes it trivial for attackers to turn legitimate Web sites into platforms for installing malware when visitors browse the sites with vulnerable PCs.

If you have Office Installed, take a moment to visit Microsoft Update to patch things up. If you use IE, either upgrade to IE8 — which provides additional protections against this zero-day attack — or consider implementing the Fix-It tool that Microsoft has released to help mitigate the threat from the vulnerability.

A summary of today’s bulletins is available here.

Update, 7:03 p.m. ET: Added information at the end of this post on the Microsoft FixIt Tool.


12
Oct 10

Microsoft Plugs a Record 49 Security Holes

Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.

“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.

Microsoft said at least eight of the vulnerabilities were publicly disclosed prior to the release of today’s patches. The software giant also fixed one of the two remaining zero-day flaws exploited by the Stuxnet worm, a complex family of malware pegged by researchers as a weapon built to attack industrial control systems embedded in facilities like power and chemical manufacturing plants.

At the top of the critical list is an update for Internet Explorer versions 6 through 8 that plugs at least 10 security holes in the default Web browser on Windows, including two flaws that were disclosed previously. Several of the IE flaws are marked critical even on the latest versions of Microsoft’s products, including IE8 running on Windows 7 systems.

Two updates for versions of Microsoft Word and Excel comprise about half of the vulnerabilities addressed in today’s release.

Today’s fixes are available through Windows Update or by enabling Automatic Update in Windows. As always, if you experience any glitches or problems applying these patches, please drop a note in the comments section.

For more information on the patches, check out SANS Internet Storm Center‘s Black Tuesday roundup, as well as Microsoft’s Security Research & Defense blog.

Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.