On Tuesday, Microsoft released eight security bulletins, addressing more than 20 vulnerabilities. Included in the latest release were fixes for several vulnerabilities disclosed before the software giant could fix them, including one for Excel. However, the vulnerability from earlier this month that targets Microsoft’s PowerPoint was a no-show.
Microsoft pushes massive fixes in monthly release.(IMG:J.Anderson)
“While the world is still reeling from Conficker, Microsoft today released its largest batch of security updates this year, including urgent fixes for vulnerabilities that are already being exploited,” said Dave Marcus, director of security research and communications for McAfee Avert Labs. “This won’t be easy for many security professionals, especially in larger enterprises.”
One of the issues fixed by yesterday's patch release centers on Microsoft Direct Show.
“This software is a core component of Microsoft Windows 2000, XP, and Server 2003 and is used as an interface by most Windows-based applications, such as Microsoft Media Player, that play multimedia files. Essentially, the vulnerability allows an attacker to create a malicious movie that, when viewed, would give the attacker complete control of the computer. Although there are no public details about this vulnerability yet, attackers have favored this type of exploitation method heavily in the past year,” said IBM’s Holly Stewart.
Stewart also said that document and multimedia vulnerabilities represent two of the fastest growing categories of vulnerabilities affecting personal computers. From 2007 to 2008, document-related vulnerabilities rose by 162 percent and multimedia-related vulnerabilities rose by 127 percent.
“They are prime exploitation targets for the criminal underground because they are typically easy to exploit through spam or through links to malicious Web sites where the documents are hosted. Users don't expect innocuous documents like a PDF files, Excel spreadsheets, or movies to compromise their computer, making it easy for attackers to trick them into viewing the malicious file,” she explained.
In the last quarter of 2008, nearly 15 percent of all the malicious links that IBM tracked were related to malicious movies and 10 percent were related to malicious documents.
Another interesting note from April’s patch release is the Exploitability Index. Microsoft said that six of the vulnerabilities patched this month are actively being exploited in the wild. This is the first time since the release of the Exploitability Index that there have been so many active attacks online at the same time a patch for them was released.
“Microsoft’s Security bulletin for April brought a total of 8 advisories covering 23 distinct vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. Six vulnerabilities have already been used by attackers and four have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, where before weeks were an acceptable timeframe, now days seems more adequate,” commented Wolfgang Kandek, CTO at Qualys.
Considering the ranking on the Exploitability Index, the number of critical patches, and the fact that most of the patches are flagged as needing a reboot, it is shaping up to be a long week for IT.
Home users are advised to patch now and install everything required. Windows Update will direct you to the necessary patches.
More information can be found online here.
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story