Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 31 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

FREAK, IE and Stuxnet patches delivered by Microsoft

by The Gurus
March 11, 2015
in Editor's News
patch
Share on FacebookShare on Twitter

Microsoft released 14 patches on its third monthly Update Tuesday, to include critical patches for the FREAK flaw and Internet Explorer.
With five critical patches released in total, to address a total of 44 vulnerabilities in all, experts recommended patching MS15-018 first, the bulletin for Internet Explorer. Trustwave’s Karl Sigler said that Internet Explorer accounts for fifteen of the vulnerabilities, the majority of which are memory corruption bugs, the worst of which could result in remote code execution.
He said: “This bulletin patches twelve vulnerabilities in Internet Explorer, the majority of which are memory corruption flaws. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user running IE.
“This security update covers Internet Explorer 6 (IE 6) through Internet Explorer 11 (IE 11) and is rated Critical on affected Windows clients and Moderate for affected Windows servers.”
Alan Bentley, SVP International at HEAT Software (formerly Lumension), said that two vulnerabilities were publicly disclosed, and one is under active attack, the other ten CVEs were privately reported and impact all versions of IE.
Rated as “important”, MS15-031 patches the vulnerability in the Secure Channel (Schannel) which could allow security feature bypass.
Sigler said: “This bulletin patches a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.”
Tod Beardsley, engineering manager at Rapid7, said: “The news here is that Microsoft Schannel – the Windows analog of OpenSSL – is also susceptible to cipher downgrade attacks by active attackers. This isn’t particularly surprising, given Microsoft’s traditional role as a software vendor to Government institutions the world over; it would be strange is Windows did not ship with the weakened, export-grade ciphers that enables the attack in the first place.

“Because of the active man-in-the-middle requirement, this bug can be pretty useful for spies who are targeting specific users in otherwise high security network environments. It’s not very useful for typical internet criminals, since there are much easier methods to redirect and gather user traffic at varying levels of sophistication.”
Also highlighted was MS15-020, which is rated critical for all versions of Windows, and allows an attacker to trick a target into browsing a directory on a website or opening a file. Wolfgang Kandek, CTO of Qualys, said: “Windows Text Services has a vulnerability that allows the attacker to gain remote code execution on the machine. It also has a fix for CVE-2015-0096, a vulnerability related to the original Stuxnet vulnerability CVE-2010-2568.”
Sigler said: “This patches two vulnerabilities in Microsoft Windows. The two vulnerabilities exist when DLLs are loaded that improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the logged-on user.”

FacebookTweetLinkedIn
Tags: ExplorerMicrosoftPatchVulnerabilityWindows
ShareTweetShare
Previous Post

Blue Coat set to be acquired by investment firm for $2.4BN

Next Post

How many in the US Government were using their own email for work?

Recent News

Data Privacy Day: Securing your data with a password manager

For Cybersecurity, the Tricks Come More Than Once a Year

March 31, 2023
cybersecurity training

Only 10% of workers remember all their cyber security training

March 30, 2023
Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information