Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Microsoft Releases 'Critical' Security Updates For Windows, Explorer

One of the key vulnerabilities involves a weakness in Microsoft's VBScript and JScript scripting engines.

Microsoft on Tuesday released eight software updates for the Windows operating system and Internet Explorer Web browser to patch security holes, five of which the company described as "critical."

PC users can determine if they need the updates by accessing the company's online Baseline Security Analyzer, Microsoft said.

The five critical updates are designed to address security vulnerabilities that could leave Windows or Explorer open to remote code execution -- a technique used by hackers to gain control of a target computer.

The updates apply to Windows Vista, Windows XP and Windows 2000, Windows Server 2003 and Windows Server 2008, as well as Explorer. Users will need to restart their systems after installing the updates, Microsoft said.

Bloggers at security software and research firm Symantec called one of the critical vulnerabilities, a weakness in the VBScript and JScript scripting engines, "the worst of the bunch."

"The components are installed on multiple flavors of Windows and are relatively easy to exploit," the Symantec blog said.

Microsoft typically releases major security updates in the second week of each month.

Microsoft also patched two "important" vulnerabilities that leave Windows open to spoofing and unauthorized user privilege elevation, and a vulnerability that could expose Microsoft Office to remote code execution.

Microsoft also released an updated version of the Windows Malicious Software Removal Tool. The tool is designed to check for, and remove, malware programs such as Blaster, Sasser and Mydoom.

The updated tool can be obtained from the online Windows Update service, Windows Server Update Services or Microsoft's Download Center.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.