Menu
Microsoft Patch Tuesday tackles three critical vulnerabilities

Microsoft Patch Tuesday tackles three critical vulnerabilities

The Sandworm vulnerability gets a fix with this month's round of corrective fixes for Microsoft software

After a relatively quiet few months, Microsoft Patch Tuesday is back in full force, covering three zero-day vulnerabilities that administrators should attend to as quickly as possible.

Microsoft issued eight security bulletins Tuesday, covering a total of 24 vulnerabilities found in Windows, Internet Explorer, Office and the .Net framework. Three of the bulletins are marked as critical, which means administrators should test and apply these patches immediately. A single bulletin can cover multiple vulnerabilities within one technology.

Three of these vulnerabilities are already being exploited by malicious attackers, hence they are being called zero-day vulnerabilities. This is the first time in recent history -- and perhaps ever -- that Microsoft has fixed three zero-day vulnerabilities in a single round of patches, which Microsoft typically issues on the second Tuesday of each month.

"Sandworm" is the most notorious of the three and is a vulnerability in Microsoft Windows that has already been used in attacks on NATO and a number of European government agencies, telecommunication firms and energy companies, according to cyberthreat intelligence firm iSight. Microsoft Bulletin MS14-060 fixes this bug.

"This is an urgent one to fix," said Wolfgang Kandek, chief technology officer for IT security firm Qualys.

Microsoft marked MS14-060 as important rather than critical because for the attack to work, it would require a user to click on a file. Qualys ranks this vulnerability as more severe in that it is pretty easy to trick a single person into clicking on a file, such as a PowerPoint presentation, which would be all that would be required for an attacker to gain access to an internal network with a well-crafted script, Kandek said.

Sandworm is a good reminder for administrators to make sure that they set the user permissions correctly on desktop and laptop computers, meaning not to give an end user full administrative privileges on the machine, Kandek said.

The second zero-day flaw addresses a problem in Internet Explorer and the fix is found in MS14-056. This vulnerability "could allow an attacker to break out of the sandboxing capabilities in Internet Explorer," said Amol Sarwate, director of vulnerability research at Qualys.

The third zero-day, addressed in MS14-058, also comes from a flaw within Windows, namely from the way the operating system kernel drivers handle TrueType fonts. An attacker could embed some malicious code within a TrueType font. When a user visits a site with these ill fonts, Windows will download the font package and automatically execute the code buried within.

Beyond Microsoft's patches, administrators will also have a busy week with patches from Adobe and Oracle, Kandek said.

On Tuesday, Adobe released a set of patches for its Flash multimedia player. Oracle is also releasing a wide range of patches for its enterprise software. In particular, administrators should take a look at the Java patches, Kandek advised.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecuritypatch managementExploits / vulnerabilities

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments