Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Microsoft release four critical patches in batch of 11 on Update Tuesday

by The Gurus
April 15, 2015
in Editor's News
patch
Share on FacebookShare on Twitter

Microsoft released 11 security bulletins last night, patching four critical vulnerabilities in Windows, Office and Internet Explorer.
 
As well as disabling SSL 3.0 in Internet Explorer 11, the four critical patches all fixed remote code execution flaws. The remaining seven patches fixed vulnerabilities rated as “important”.
 
Russ Ernst, director of product management at HEAT Software, said that patching will want to begin with MS15-033 that addresses five CVEs in Microsoft Office, including a fix of one zero-day vulnerability. “The full update addresses Word 2007, 2012 and Word for Mac 2011,” he said. “A remote code execution could result if a user opened a malicious Office file, giving the attacker full user rights.”
 
Wolfgang Kandek, CTO of Qualys, also rated this as the first priority, particularly as CVE-2015-1641 is a zero-day and is currently under limited attacks in the wild on Word 2010.
 
He said: “This a very low security barrier at most organisations as it is part of the job for employees to open Word DOCX files and they have come to trust the format. The attacker will send an email with the malicious file attached or linked. If the e-mail is worded well click/opening rates over ten per cent are guaranteed.”
 
David Picotte, manager of security engineering at Rapid7, pointed at MS15-032 as the next priority, as this addresses ten Internet Explorer CVEs and is rated as “Critical” with exploitation being quite likely however not yet detected in the wild. “Microsoft really need to get Spartan released so that their browser auto patches itself like all the other browser platforms,” he said.
 
Ernst said: “This is another cumulative update for all versions of IE and patches 10 CVEs, nine of which are critical. The attacker needs users to open a malicious webpage for user rights to then be secured but as we know, this is relatively easy for them to accomplish.”
 
The other two critical-rated patches are MS15-034 that resolves a vulnerability in Microsoft Windows which could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.
 
Kandek said: “The bulletin addresses vulnerability CVE-2015-1635 in the HTTP stack on Windows server 2008 and 2012, also affecting Windows 7 and 8. An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account, the attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code.
 
“The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the internet.”
 
Finally, MS15-035 patches a vulnerability in the Microsoft graphics component. Kandek said: “Again the attacker needs user help to execute the exploit, in this case rendering a graphics file. There are plenty of ways to do this, as browsing to a website, opening an e-mail or looking at a fileshare are all possible vectors. Nevertheless this limits exploitation mostly to desktop/laptop machines.
 
“The vulnerability is also limited to older versions of Windows, such as Windows 7, Vista, Server 2003 and 2008. The latest desktop versions of Windows: 8 and 8.1 are not affected, similar for the Windows Server 2008R2 and 2012.”

FacebookTweetLinkedIn
Tags: FlawMicrosoftPatchVulnerability
ShareTweetShare
Previous Post

Microsoft disables SSL 3.0 in patch for Internet Explorer 11

Next Post

Websense announces partnership with Boldon James to boost DLP solutions

Recent News

safe

Will Emphasising App Security Lead to More App Installs?

February 6, 2023
Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023
london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information