Microsoft patches 11 security issues, attacks underway

Share this article:

Microsoft on Tuesday delivered six patches to plug 11 holes in its products, including one vulnerability that hackers already are using to wage targeted attacks.

That flaw, present in Windows Common Controls, could result in remote code execution and affects many products, including Office and SQL Server. Microsoft rated this the top priority of the month and encouraged users to test and apply the "critical" patch (MS12-027) as quickly as possible.

Attackers currently are distributing the exploit via email attachments containing an RTF (rich text format) file, said Wolfgang Kandek, CTO of vulnerability management vendor Qualys.

Also of note was critical bulletin MS12-023, a cumulative update covering five vulnerabilities in all supported versions of Internet Explorer (IE). All of the bugs could result in an attacker obtaining the same rights as the user, but the worst of the flaws could end up in a user's machine becoming infected with malware if he or she is tricked into visiting a malicious web page.

Not fixed were the zero-day vulnerabilities that were used to hack IE 9 in the recent Pwn2Own challenge at the  CanSecWest conference in Vancouver, British Columbia, said Kandek.

Meanwhile, two other patches garnered critical status: MS12-024, which addresses a bug in the Windows Authenticode Signature Verification function, and MS12-025, which involves a flaw in the .NET Framework.

Concerning the former, John Harrison, group product manager of Symantec Security Response, said attackers can change portable executable files without being detected to spread malware. In an exploit scenario, tricksters likely would attempt to lure unsuspecting users to download a free program that appears to be legitimately signed.

"In addition, the attacker doesn't need to worry about controlling memory," he said. "Once the user runs the content, the device has been infected."

The remaining two patches, deemed "important," fixed holes in the Forefront United Access Gateway product, as well as Office.

To coincide with the Microsoft distribution, Adobe on Tuesday released its quarterly Acrobat and Reader update to address four critical vulnerabilities.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.