Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

Microsoft Blocks Zero-Day Attacks Targeting IE, Office

Security updates patch bugs being exploited via in-the-wild attacks, except for Windows XP, which now becomes a sitting duck.

so only users who have already logged in to your SharePoint server can mount an attack," said Paul Ducklin, head of technology at Sophos, in a blog post.

Adobe patches critical Reader, Acrobat, Flash flaws
Also on Tuesday, Adobe released patches for 18 flaws in its products. The security fixes affect Adobe Reader and Acrobat, Flash Player, Adobe Illustrator (CS6), and Adobe AIR running on Windows and Mac OS X systems, as well as the Linux version of its Flash Player. Adobe also updated its Flash Player plug-in for the IE10, IE11, and Google Chrome browsers to fix security problems.

All of the flaws, except the Illustrator update, have been rated at maximum severity, because they could be exploited by attackers to remotely compromise Windows, Mac, or Linux systems.

Adobe's IE plug-in updates also led Microsoft to revise a security warning it first issued in September 2012, detailing how attackers could create malicious websites to exploit a particular Flash Player flaw via drive-by attacks. Microsoft said that anyone who uses Flash Player must update, regardless of which browser they regularly use, since attackers could still trigger the IE flaws. "Other applications, such as Microsoft Office 2007 and Microsoft Office 2010, can invoke Adobe Flash Player in Internet Explorer," the company warned.

Accordingly, Microsoft urged anyone using Flash Player for IE10 (on Windows 8, Windows Server 2012, or Windows RT) or IE11 (for Windows 8.1, Windows Server 2012 R2 or Windows RT 8.1) to update their Adobe plug-in immediately.

Windows XP users now vulnerable
May is the final month that Adobe will release patches that work with Windows XP. Meanwhile, although Microsoft released an emergency IE fix May 1 that works with XP, Tuesday's batch of patches don't work with the XP, thus making it official that the operating system is no longer supported.

"Windows XP will not be receiving any security updates today," said Microsoft's Childs Tuesday in a blog post. "For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe, and now is a great time to make that move."

Microsoft, of course, has been sounding that drum for some time, and many businesses have adopted more modern versions of Windows. "Fortunately, the XP user base continues to shrink," Qualys CTO Kandek said, noting that the XP enterprise install base appears to have dropped to about 8%.

That's good, because from an information security standpoint, Windows XP users are sitting ducks, owing to hackers now being able to reverse-engineer flaws patched by Microsoft, then target those bugs in unpatchable XP systems. "The majority of the vulnerabilities addressed in the [Tuesday] updates probably affect Windows XP/Office 2003 ... but only users who have Microsoft's extended support agreement can get the patches," said Kandek.

Attackers' job will be made easier by Microsoft continuing to patch Windows Server 2003, which shares a substantial amount of code with XP. Accordingly, Kandek said, "We can assume that any vulnerability ... for Windows Server 2003 is applicable to XP as well." For this month alone, that means six newly patched flaws -- including the IE patch, ASLR fix, Group Profile patch, and Office updates, as well as the Adobe Reader and Flash fixes -- could be used by attackers to target XP systems.

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:06:20 PM
Microsoft Blocks Zero-Day Attacks Targeting IE, Office
Maybe I am wrong but aren't most vulnerabilities found by someone other than the one who developed it. Seems a little QA would be in order. Microsoft has a history of fixing things that are wrong with their software but it would be nice if they found one themselves. Thoughts?
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.
PUBLISHED: 2020-02-28
In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This...
PUBLISHED: 2020-02-28
The file-upload feature in GwtUpload 1.0.3 allows XSS via a crafted filename.
PUBLISHED: 2020-02-28
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
PUBLISHED: 2020-02-28
A denial of service issue was addressed with improved input validation.