Microsoft (NSDQ:
MSFT)
issued eight security patches in its December security bulletin, fixing
a total of 28 vulnerabilities in Microsoft Windows, Internet Explorer
and
Microsoft Office that allow remote attackers to launch malicious attacks on victims' PCs.
The security fixes are part of Microsoft's regular monthly patch release, issued on the second Tuesday of every month, known as Patch Tuesday.
Six of the updates, repairing a total of 23 errors, were deemed
critical, which means that potential cyber attackers have the ability
to execute malicious code remotely that could shut down or completely
take control of a user's PC. Specifically, the critical patches plug
holes in different versions of Microsoft's Windows operating system, as
well as Internet Explorer and Microsoft Word and Excel applications.
Experts say that one of the most serious bugs repaired by
Microsoft's December patch bulletin was a vulnerability found in GDI
that could be exploited if a user opens a malicious WMF image file.
What makes this vulnerability particularly dangerous is that the user
would only have to view a Web page containing a malicious image in
order to become infected, experts say.
"It's a graphical interpretation that's deep within the
operating system, and it's very easy for you to trigger it," said
Wolfgang Kandek, CTO of security company Qualys. "All you have to do is
go with your browser to a malicious Web site that hosts one of those
images and your machine gets attacked and infected, most likely for
monetary purposes."
Another patch resolves two separate bugs in Windows Search. If
left unpatched, a user's PC could become infected when he or she opened
and saved a malicious saved-search file within Windows Explorer. A
remote attacker also could infect victims by enticing a user to click
on a maliciously crafted link, which is typically done by some kind of
social engineering ploy. Once a user opens the specially crafted file,
the attacker could then install malicious code on his or her computer
or view, change or delete his or her personal data or create new
accounts with full access privileges.
Microsoft also issued a broad patch addressing four security issues in
Internet Explorer that could allow unsuspecting users to be the victims
of a malicious attack by viewing a specially crafted Web page on the
search engine.
The patch bundle included six fixes for security flaws in third-party ActiveX controls for Microsoft Visual Basic
6.0 Runtime Extended Files. Like many other critical flaws, these
vulnerabilities enable remote attackers to launch an attack by luring
victims to a Web site containing malicious content. Experts say that
this flaw was particularly dangerous due to the fact that it is a
third-party control, and ultimately relies on the software developers -- not the end users -- for its repair.
"It doesn't really patch the client's machine. It patches people who
distribute ActiveX controls," said Amol Sarwate, manager of the
vulnerabilities research lab for Qualys. "[In theory], as an attacker,
I would make use of this vulnerability, and make victims download the ActiveX control and control their machines."
In addition, the security patch fixed eight more vulnerabilities in
Microsoft Word and Microsoft Office Outlook that could allow remote
code execution if a user was compelled to open a malicious Word or Rich
Text Format
file. Similarly, the patch also fixes three reported errors in Excel
that could also open the door for hackers to launch a remote attack
using a specially crafted Excel file.
Meanwhile, two of the security vulnerabilities, which were given an
"important" ranking, repair errors in both SharePoint and WMC. The
SharePoint fix resolves a vulnerability that allows an attacker to
bypass normal user authentication by browsing an administrative URL on a SharePoint site that would result in elevated user privilege status.
So far, experts say that they have not found any of the vulnerabilities
to be actively exploited in the wild. Nonetheless, security experts
recommend that users patch their systems as soon as possible with the
most recent security updates.
"The bad guys, they take these patches and reverse engineer them. They
know very quickly what is broken in the version before. A day or two
from now we could see these attacks being exploited," Kandek said.
"In general, we think patching is vital," Kandek added. "All these
worms have used known vulnerabilities. If you had applied patches, this
would not have happened."
source : http://www.crn.com/