Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

Microsoft Blocks Zero-Day Attacks Targeting IE, Office

Security updates patch bugs being exploited via in-the-wild attacks, except for Windows XP, which now becomes a sitting duck.

so only users who have already logged in to your SharePoint server can mount an attack," said Paul Ducklin, head of technology at Sophos, in a blog post.

Adobe patches critical Reader, Acrobat, Flash flaws
Also on Tuesday, Adobe released patches for 18 flaws in its products. The security fixes affect Adobe Reader and Acrobat, Flash Player, Adobe Illustrator (CS6), and Adobe AIR running on Windows and Mac OS X systems, as well as the Linux version of its Flash Player. Adobe also updated its Flash Player plug-in for the IE10, IE11, and Google Chrome browsers to fix security problems.

All of the flaws, except the Illustrator update, have been rated at maximum severity, because they could be exploited by attackers to remotely compromise Windows, Mac, or Linux systems.

Adobe's IE plug-in updates also led Microsoft to revise a security warning it first issued in September 2012, detailing how attackers could create malicious websites to exploit a particular Flash Player flaw via drive-by attacks. Microsoft said that anyone who uses Flash Player must update, regardless of which browser they regularly use, since attackers could still trigger the IE flaws. "Other applications, such as Microsoft Office 2007 and Microsoft Office 2010, can invoke Adobe Flash Player in Internet Explorer," the company warned.

Accordingly, Microsoft urged anyone using Flash Player for IE10 (on Windows 8, Windows Server 2012, or Windows RT) or IE11 (for Windows 8.1, Windows Server 2012 R2 or Windows RT 8.1) to update their Adobe plug-in immediately.

Windows XP users now vulnerable
May is the final month that Adobe will release patches that work with Windows XP. Meanwhile, although Microsoft released an emergency IE fix May 1 that works with XP, Tuesday's batch of patches don't work with the XP, thus making it official that the operating system is no longer supported.

"Windows XP will not be receiving any security updates today," said Microsoft's Childs Tuesday in a blog post. "For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe, and now is a great time to make that move."

Microsoft, of course, has been sounding that drum for some time, and many businesses have adopted more modern versions of Windows. "Fortunately, the XP user base continues to shrink," Qualys CTO Kandek said, noting that the XP enterprise install base appears to have dropped to about 8%.

That's good, because from an information security standpoint, Windows XP users are sitting ducks, owing to hackers now being able to reverse-engineer flaws patched by Microsoft, then target those bugs in unpatchable XP systems. "The majority of the vulnerabilities addressed in the [Tuesday] updates probably affect Windows XP/Office 2003 ... but only users who have Microsoft's extended support agreement can get the patches," said Kandek.

Attackers' job will be made easier by Microsoft continuing to patch Windows Server 2003, which shares a substantial amount of code with XP. Accordingly, Kandek said, "We can assume that any vulnerability ... for Windows Server 2003 is applicable to XP as well." For this month alone, that means six newly patched flaws -- including the IE patch, ASLR fix, Group Profile patch, and Office updates, as well as the Adobe Reader and Flash fixes -- could be used by attackers to target XP systems.

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:06:20 PM
Microsoft Blocks Zero-Day Attacks Targeting IE, Office
Maybe I am wrong but aren't most vulnerabilities found by someone other than the one who developed it. Seems a little QA would be in order. Microsoft has a history of fixing things that are wrong with their software but it would be nice if they found one themselves. Thoughts?
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.