Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

Microsoft Blocks Zero-Day Attacks Targeting IE, Office

Security updates patch bugs being exploited via in-the-wild attacks, except for Windows XP, which now becomes a sitting duck.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Microsoft has released a slew of security updates, including fixing two sets of vulnerabilities that are being actively exploited by in-the-wild attacks. But for the first time ever, Windows XP holdouts didn't receive any related security updates.

Microsoft published eight security bulletins Tuesday -- as part of its regularly scheduled monthly patch release cycle -- including fixes for 13 different vulnerabilities in Windows, Internet Explorer, Office, SharePoint Server, Group Policy preferences, as well as the .NET Framework and iSCSI.

Microsoft's cumulative IE security update includes a fix for an "out-of-band" patch that it originally released May 1, to patch a critical IE bug (CVE-2014-1776) that Google's security team found was being actively exploited by attackers to remotely execute arbitrary code. In a surprise twist, Microsoft had released the patch for Windows XP, which it officially stopped supporting last month.

Microsoft also issued a fix for a new critical IE bug Tuesday, saying that it was aware of limited, targeted attacks that attempt to exploit this vulnerability.

[Should government investigators be given expanded powers to battle cybercriminals? Read FBI Seeks License To Hack Bot-Invested PCs.]

Wolfgang Kandek, CTO of Qualys, described the patch in a blog post as "another surgical fix" similar to the May 1 patch. He noted that anyone who has yet to install the May 1 patch -- aside from XP users -- can install Microsoft's May 13 update instead, because it includes the fix.

Microsoft said that most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically.

According to Dustin C. Childs, group manager for incident response communications at Microsoft's Trustworthy Computing Group, the IE update should top the list of enterprise patching priorities, followed by installing fixes a vulnerability in the MSCOMCTL common controls library included in Office -- which Microsoft said is also being actively exploited by in-the-wild attacks -- and a Group Policy preferences flaw.

Kandek concurred with that patch prioritization assessment, noting that the MSCOMCTL fix comes in the form of a new DLL that has ASLR set, an easy fix for the developers to implement (basically a recompile), but one that took extensive testing as this DLL is widely used. Thanks to ASLR -- address space layout randomization -- the update will also better block future attacks. Meanwhile, Kandek added, the Group Policy patch prevents the storage of credentials in Group Policies, where they are relatively easily accessed by hackers and pen testers alike.

CrowdStrike CTO Dmitri Alperovitch, via Twitter, lauded the latter fix. "Very good security update from Microsoft today that disables a number of password dumping tools including Mimikatz," he said.

Rounding up other security updates, any business that uses SharePoint should also prioritize a related patch from Microsoft, Kandek advised, especially if you expose SharePoint to the Internet. That's because the patch fixes a flaw that would allow a remote attacker to upload files to SharePoint and trigger remote-code execution, thus allowing the attacker to take control of the server.

"The silver lining is that this is what's known as an authenticated vulnerability,

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:06:20 PM
Microsoft Blocks Zero-Day Attacks Targeting IE, Office
Maybe I am wrong but aren't most vulnerabilities found by someone other than the one who developed it. Seems a little QA would be in order. Microsoft has a history of fixing things that are wrong with their software but it would be nice if they found one themselves. Thoughts?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.