Hey folks, it's time to patch your Windows PCs! Somebody tipped Microsoft off to a vulnerability in the way Windows handles the remote desktop protocol, and the problem turned out to be a biggie: the exploit allows attackers to run code without any user permissions whatsoever, and all Windows operating systems from XP on up are affected. The good news is that Microsoft has already issued a security patch for the problem. The bad news? Microsoft has taken the unusual step of suggesting you install the patch immediately, since it expects baddies to exploit the gaping security hole quickly.
You can step into the new year feeling more secure, thanks to an important security update from Microsoft. The Redmond company on Thursday issued an out-of-band security update that addresses a “critical” denial-of-service (DoS) vulnerability (CVE-2011-3414) that affects Microsoft’s ASP.NET, among other web application platforms. Hit the jump for more.
As it does on the second Tuesday of each month, Microsoft today delivered this month’s installment of security updates. June’s edition of Patch Tuesday only includes four security bulletins, which is significantly less compared to last month’s consignment of 16 security bulletins. Between them, the security bulletins released today address 22 vulnerabilities.
The said vulnerability, which can be used by an attacker to take control of the affected system, also affects Flash Player 10.1.85.3 (and earlier), but the hole in Flash has already been plugged with the release of version 10.1.102.64 earlier this month. Besides CVE-2010-3654, the updates also addressees a “potential issue” (CVE-2010-4091) in certain versions of Reader.
“Note that these updates represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011,” said Adobe in the advisory.
Last week’s cyber attacks, that targeted Google and several other large U.S. companies, has certainly gotten Microsoft’s attention. The attack was orchestrated, in part, through a zero-day flaw in Internet Explorer (IE). The flaw seems to be obscure, and restricted to IE 6 and IE 7, but that hasn’t stopped Microsoft from releasing an out-of-cycle patch for IE.
Microsoft has acknowledgde the flaw, and says the “vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”
Microsoft, in an announcement posted today, says the confusion surrounding this particular attack has compelled Microsoft to act now. Microsoft’s primary advice: upgrade to IE 8, which is not affected by this flaw. If you don’t plan to upgrade, then updates for earlier versions will be made available, with specific timing of the updates to be announced tomorrow. In the meantime, Microsoft suggests using the workarounds and mitigations provided in Security Advisory 979352.
Jeremy Kirk, of the IDG News Services, reports the problem to be linked to Microsoft’s monkeying about with the Access Control List (ACL). The ACL is a list of permissions for the logged-in user. It interacts with registry keys to create visible desktop features, like the sidebar.
The patch changes some of those registry keys, which messes with certain installed applications. These applications are unaware of the registry changes, don’t run properly, and, in a fit of pique, bring the PC to a crashing halt. According to Mel Morris, the CEO of Prevx, a United Kingdom security firm: “If you’ve got this problem, it’s masively debilitating.” Prevx, at its web site, offers a fix for the problem.
Several security vulnerabilities were reported in Google’s Chrome web browser after its beta version was launched earlier this month with much ado. Google has quickly responded with a security update that fixes four vulnerabilities. The update addresses two buffer overflow vulnerabilities, both rated critical by Google, and two other minor bugs. However, the carpet-bombing threat, first brought to light by security researcher Aviv Raff, still looms.