Microsoft fixes 37 vulnerabilities
Posted on 13 August 2014.
Microsoft clearly wants everyone to shake off the dog days of summer and pay attention to patching. This month’s advance notice contains nine advisories spanning a range of MSFT products.

We have the ubiquitous Internet Explorer all supported versions patch (MS14-051), with the same likely caveat that this would apply to Windows XP too, if Microsoft still supported it. This patch addresses the sole vulnerability to be actively exploited in the wild from in this month’s crop of issues, CVE-2014-2817 and the sole issue which is known to be publicly disclosed, but not known to be under active exploitation, CVE-2014-2819. Both of which are elevation of privilege issues.

MS14-043 is also a critical and remote code execution issue. It affects only the professional/ultimate/enterprise editions Windows 7 and 8/8.1 and the “Media Center TV Pack” for Vista. Fortunately, or not, depending on your point of view, this is not a true remote, but rather yet another attack where a user must be coerced into opening a malicious file.

Also of note, MS SQL Server, all supported versions are vulnerable to an issue which is a Denial of Service on most platforms, but is Important Elevation of Privilege issue on Server 2014 and 2012 x64, this is probably not critical because it will require some degree of authentication to exploit, but given the potential for that to happen in any number of circumstances this will no doubt be an important issue to administrators to address.

Beyond those we have a mixed bag of 3 other EOPs, a Remote Code Execution and two security bypass issues, all labelled Important. Windows, Office, Sharepoint and .NET are all touched by these fixes. Security and IT teams will be busy scrambling to test and apply these fixes.



Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.





Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //