Qualys
Microsoft on Tuesday released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical.
Wolfgang Kandek, CTO of Qualys, said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer.
It's Patch Tuesday, but Microsoft didn't discover the latest zero-day vulnerability quickly enough to issue a fix this week. On Monday, Microsoft issued a security advisory about a new vulnerability in the Office Web Components Spreadsheet ActiveX control.
"The vulnerability exists specifically in the Spreadsheet ActiveX Control and could allow an attacker who successfully exploited this vulnerability the same user rights as the local user," advisory said. "We are aware of limited, active attacks attempting to exploit this vulnerability."
Browse and Get Owned
February's Patch Tuesday saw Microsoft issue four security bulletins that address a total of eight vulnerabilities, three rated as critical.
The first critical vulnerability relates to Microsoft Exchange Server. An attacker can exploit it remotely by sending a maliciously designed e-mail message to a user on an unpatched Exchange server.
"This attack can result in the installation and execution of attacker-supplied code, giving complete control of the e-mail server to the attacker," said Ben Greenbaum Sr., research manager at Symantec Security Response.
Microsoft released critical fixes on Patch Tuesday for vulnerabilities that could leave the door open for worms that wreak havoc on business networks. In all, Microsoft released one security bulletin that addresses three vulnerabilities, two of them rated critical.
Microsoft released critical fixes on Patch Tuesday for vulnerabilities that could leave the door open for worms that wreak havoc on business networks. In all, Microsoft released one security bulletin that addresses three vulnerabilities, two of them rated critical.
Microsoft is investigating new public reports of a vulnerability that could allow remote-code execution on systems with supported editions of its Microsoft SQL Server products.
Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine, and Windows Internal Database are affected. Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.
- Login to post comments
- Read more
- Freenewsfeed
- Source
Microsoft has issued an emergency patch to fix a critical Internet Explorer vulnerability that puts users at risk. At least two million computers have been infected in the past week, most of them in Asia.
The out-of-cycle patch is available through Microsoft's normal update options, including Windows Server Update Services, Microsoft Update, and Windows Update.
The fact that Microsoft broke its normal patch cycle is an indication of the importance of this patch, according to Wolfgang Kandek, CTO of Qualys.
IOActive security researcher Dan Kaminsky offered his much-anticipated speech on the DNS vulnerability at the Black Hat conference on Wednesday. His message: Patching your systems is urgent because the risk of cache poisoning is great.
Kaminsky discovered the bug in early July. The attack code was released several weeks later by developers of the Metasploit hacking toolkit, headed by the infamous HD Moore.