Microsoft Patches Critical Windows Vulnerability

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Patches Critical Windows Vulnerability


The software maker also tweaked its exploitability index, which predicts the likelihood that vulnerabilities will soon be compromised.



Slideshow: Internet Explorer 9 Fast, Powerful, Intuitive (click image for larger view and for slideshow)
Microsoft on Tuesday patched a critical vulnerability in Microsoft Windows, as well as two less severe vulnerabilities in Microsoft Office.
This continues the cycle of smaller and larger patches on alternate months, said Wolfgang Kandek, CTO of Qualys, in a
blog post
. Regardless, since all three of the bugs detailed this month could allow remote code execution, he recommends quick patching.
The
critical Windows vulnerability
involves a flaw in Windows Internet Name Server (WINS), which could allow remote code execution if a user received specially crafted malware on an affected system running the WINS service, said Microsoft.
According to
Symantec
, the bug exists because WINS fails to sufficiently validate data structures in WINS network packets. Note, however, that WINS isnt ever installed by default, hence only users that have manually installed the component will be receiving an update.
The two other bugs, rated important, are both in Microsoft PowerPoint, and could be exploited via a specially crafted, malicious PowerPoint file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as a logged-on user, said Microsoft. Of course, users operating with fewer rights will necessarily be better protected against any related exploits. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, said Microsoft.
Microsofts advice recalls a study, released last month, which found that
blocking admin-level rights
for regular users would stop the majority of attacks seen against Microsoft Windows.
Another relevant attack-stopping technique is to use the
Office file validation
feature--included by default in Office 2010 but also released last month for Office 2003 and 2007--which scans Office files for malformed data. If found, users see a warning that the file theyre trying to open might be dangerous. But they can choose to open the file anyway.
While Microsoft released a patch for all affected versions of PowerPoint--2002, 2003, 2007--for Windows, it has yet to patch Microsoft Office 2004 and 2008 for Mac, which are also at risk. As a result, Mac users remain vulnerable to malicious PowerPoint files, said Graham Cluley, senior technology consultant at Sophos, in a
blog post
. The risk is that cybercriminals will reverse engineer the fix for the Windows version of PowerPoint, and use the information they discover to exploit the vulnerability on Apple Mac versions.
Also on the vulnerability front, beginning this month, Microsoft has updated its exploitability index, which estimates the likelihood of a vulnerability being exploited by attackers in the next 30 days. Its designed to help patch managers know which flaws to fix first.
Now, Microsoft is offering an exploitability index for both the current version of a product, as well as all former versions in aggregate. On Microsofts
website
, Maarten Van Horenbeeck, a senior security program manager, said that this change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built into Microsofts newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions.
Van Horenbeeck said the change, which Microsoft has been testing internally for eight months, reflects its finding that 38% of bugs discovered in products dont exist in the latest version of that product. In contrast, only 3% of bugs discovered in the most recent version of a product dont also affect previous versions.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Patches Critical Windows Vulnerability