• Home
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
  • Events
  • Whitepapers
  • Newsletters
  • Sign in
  • Events
    • Follow V3 Events

      Sign up to receive email alerts about our events

      Sign up
  • Whitepapers
    • V3resources 120x194
      Network Security Forensics For GDPR Compliance

      An effective network security forensics strategy can assist an organization in providing key compliance-related details as part of any post-incident GDPR investigation.

      Download
      V3resources 120x194
      10 ways to increase productivity with managed Office 365

      For businesses large and small, relying on a cloud-based collaboration and productivity suite such as Microsoft Office 365 is becoming the norm. Enhancing productivity in your organisation is vital to get ahead in 2017 - and using Office 365 can help, if it's used right...

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Data Strategy Spotlight
  • Sign in
  •  
    •  

      You are currently accessing V3 .co.uk via your Enterprise account.

      Personalise your on site experience

      Download and use the apps

      Access your subscription from outside of the office

      Get relevant news and insight straight to your inbox

      • Sign in
     
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
  • Follow us
    • RSS
    • Twitter
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
 
  •  

    You are currently accessing V3 .co.uk via your Enterprise account.

    Personalise your on site experience

    Download and use the apps

    Access your subscription from outside of the office

    Get relevant news and insight straight to your inbox

    • Sign in
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
V3.co.uk
  • Security

Microsoft releases fixes for Internet Explorer, Word and Excel vulnerabilities

Businesses urged to install patches sooner rather than later

Microsoft Internet Explorer
  • Alastair Stevenson
  • Alastair Stevenson
  • @MonkeyGuru
  • 09 October 2013
  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
0 Comments

Microsoft has released fixes for vulnerabilities in a number of key services, including Internet Explorer (IE), Word, Excel, the .Net framework and Windows Kernel-Mode Drivers, in its latest Patch Tuesday.

The vulnerabilities in IE, .Net framework and Windows Kernel-Mode Drivers, were listed as the most serious, categorised as critical. The IE vulnerabilities were disclosed by Microsoft last month after it released a broken patch for them, which was subsequently pulled.

The news was troubling as it meant hackers had been alerted to vulnerabilities before Microsoft had a chance to fully fix them, leaving businesses with a temporary "Fix It" workaround. Trustwave director of security research Ziv Mador said the lack of a true fix was dangerous as the vulnerabilities could be exploited by hackers to mount a remote code execution attack.

"This is the biggie that everyone has been worried about, that was first announced last month and for which Microsoft issued a Fix It," he said.

"The good thing is that if you already applied the Fix It, you do not need to undo the changes before applying this update. The issue with all 10 of these vulnerabilities has to do with how IE handles objects in memory; if items in memory get corrupted in a certain way an attacker could cause that corruption to execute arbitrary code."

The bulletin issued a similar advisory for the .Net framework and Windows Kernel-Mode Drivers vulnerabilities. Ross Barrett, Rapid 7 senior manager of security engineering, warned that if left unpatched the vulnerabilities could theoretically be exploited by hackers for a variety of purposes.

"MS13-081 (vulnerabilities in Windows Kernel-Mode Drivers) addresses an exploit path (CVE-2013-3128), which would give an attacker kernel-level access on a system that attempts to render a page containing a malicious OpenType font," he said.

"Technically one of the CVEs in MS13-082 (vulnerabilities in .Net framework) addresses a variant of the same issue, which Microsoft found by auditing the reuse of that code. In this case the variant would only give user-level access to that attacker. At this time this issue is not known to be under active exploitation."

Barrett added that the vulnerability in the Windows Common Control Library was particularly interesting, as it could theoretically be targeted by a self-spreading worm attack.

"MS13-083 looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net webpages. This is a genuine article; a real, honest to goodness, potentially ‘wormable' condition," he said.

"If the bad guys figure out a way to automate the exploitation of this, it could spread rapidly and the defence in depth measures of your organisation will be tested. However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation."

Important patches for vulnerabilities in Microsoft Word, Excel and Windows Common Control Library were also released. Microsoft downplayed the significance of the Word and Excel patches, confirming that an attack would only have real significance if it managed to infect a machine with high-level administrative rights.

"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," read the bulletin.

Persuading businesses to install patches more regularly has been an ongoing problem facing the security community.

Most recently the dilemma was showcased by the fact numerous firms are still running the outdated Windows XP operating system. The news is troubling as in less than six months Microsoft will officially cease support for the OS, meaning new security vulnerabilities will no longer be patched.

  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
  • Topics
  • Security
  • Operating Systems
  • Web
  • Microsoft
  • Patch Tuesday
  • security patches
  • Hacking
  • Internet Explorer

V3 Latest

First plant to grow on the Moon, err, dies
First plant to grow on the Moon, err, dies

Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night

  • Communications
  • 18 January 2019
Fortnite news and updates: Fortnite made $2.4bn in 2018, according to SuperData
Fortnite news and updates: Fortnite made $2.4bn in 2018, according to SuperData

Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018

  • Software
  • 18 January 2019
Japanese firm sends micro-satellites into space to deliver artificial meteor showers on demand
Japanese firm sends micro-satellites into space to deliver artificial meteor showers on demand

Meteor showers as a service will be visible for about 100 kilometres in all directions

  • Communications
  • 18 January 2019
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data

New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago

  • Communications
  • 18 January 2019
Back to Top
  • Contact
  • Marketing solutions
  • Enterprise IT Events
  • About
  • Terms & conditions
  • Privacy policy
  • RSS
  • Twitter
  • Newsletters
  • Facebook
  • YouTube

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017