Brace for malware-fighting IE, Office patches
A vulnerability in versions 6 through 10 of Internet Explorer could be exploited to take control of affected machines through malware delivered from tainted Web pages, according to the upcoming Patch Tuesday security bulletins from Microsoft.
"This one would make it easy to remotely gain access to someone's machine via a malicious webpage," says Ken Pickering, development manager for security intelligence at CORE Security. "Bulletin One is downright scary."
The single bulletin actually accounts for 19 of the 23 individual common vulnerability exposures (CVE) dealt with this month.
It is the only one of the five bulletins being issued this month that is ranked critical, but since four of them require restarts after applying Microsoft recommended patches, it could make for IT headaches. "No one likes to force a reboot after an update, especially in an enterprise shop," he says.
Exploits of these CVEs would likely include phishing attempts that require end uses to be duped into browsing to an infected sit. "Many of the successful hacks we've seen lately have been through phishing attacks, so remember to take the time to educate your users about security and mitigation," says Paul Henry, a security and forensic analyst at Lumension.
Patches for Office, too
The rest of the bulletins are ranked important, which means they could result in compromised data but not unless users are prompted to take an action that contributes to the exploit.
"The next top issue would be the remote code execution in Office," says Ross Barrett, the senior manager of security engineering at Rapid7. "Since this is listed as only important,' there are likely significant hurdles to exploitation."
Because Microsoft Office is such a popular suite of applications, that makes this a potentially attractive vulnerability. "These are the most basic and most popular Microsoft products in use today," says Tommy Chin, technical support engineer, CORE Security, "therefore the impact is very high." Henry says there have been a limited number of exploits against this vulnerability seen in the wild.
Another vulnerability marked important pertains to Office 2003, but Mac users should take note. "The interesting thing is that it also works on the latest version of Office for the Mac," says Pickering.
Henry notes this month's bulletin count is the lowest so far this year. The total number of bulletins so far is an even 50, which puts 2013 eight bulletin lighter than last year at this time, he says. The number of bulletins marked critical 16 is exactly the same as last year.