Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft’s 16 patches include one for “cookiejacking”

Microsoft is prepping a large security update for Tuesday, with plans to deliver 16 patches to fix 34 vulnerabilities across its product line.

The patches will mend issues in Windows, Office, Internet Explorer, .NET Framework, SQL Server, Visual Studios, Silverlight and ISA Server, Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, said in a company blog post.

Nine of the bulletins are rated "critical," while the remaining seven carry an "important" designation. The update touches all versions of Windows, Excel and Internet Explorer.

Among the more notable fixes are two patches for Internet Explorer. One will address an issue known as "cookiejacking," which involves an attacker accessing a file stored inside a browser -- the cookie -- to steal access credentials.

Late last month, Italian security researcher Rosario Valotta disclosed the vulnerability, stating that it could be used to steal usernames and passwords used to login to popular sites such as Facebook and Twitter. For users to be exploited, they must be tricked into dragging an object across their screen and dropping it into an "attacker controlled HTML element," a type of clickjacking tactic sometimes employed by hackers.

But Gunn played down the likelihood of exploits.

"Given the prevalence of other types of social engineering methods in use by criminals, which provide access to much more than cookies, we believe this issue poses lower risk to customers," she wrote.

Tuesday will be a busy day for IT administrators, as Adobe also is planning updates to its Reader and Acrobat products. These come as part of a quarterly release cycle.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.