Microsoft released a serious patch in IE9 and Windows

Yesterday, Microsoft patched 34 vulnerabilities in Windows, Internet Explorer (IE), Office and other software. Among them, there are 15 patches that the company rated as 'serious'.

TipsMake.com - Yesterday, Microsoft patched 34 vulnerabilities in Windows, Internet Explorer (IE), Office and other software. Among them, there are 15 patches that the company rated as 'serious'.

Microsoft released a serious patch in IE9 and Windows Picture 1

An expert said that the more updates - as well as Microsoft providing them 2 hours later - will put pressure on managers.

Wolfgang Kandek, chief technology officer for security firm Qualys, said: ' Certainly, IT administrators will have to choose and decide how to act, first '.

Of the 16 updates, Microsoft called the bulletin, 9 were installed as serious, the highest rating in its scoring system. Meanwhile, the remaining 7 patches are rated as 'important', the second most dangerous.

Although the number of patches offered yesterday was less than the 64 patch patch Microsoft patched in April, it was still the second highest this year. The number of 16 bulletin is also a record.

15 out of 34 vulnerabilities are assessed as serious, 17 of them are rated important and the remaining 2 are rated as average.

Microsoft has picked up four of the 16 updates to highlight and persuade users to immediately deploy these four patches as soon as possible.

Jerry Bryant, senior manager of Microsoft Security Response Center (MSRC), said in an interview yesterday: ' We focus on 4 patches MS11-050, MS11-052, MS11- 043 and MS11-042 " . He listed these 4 patches in order of preference.

Among the bulletin boards that need to be deployed immediately, MS11-050 provides 11 patches for IE that Microsoft and experts have rated them highly on the list.

Andrew Storms, director of security operations at nCircle Security, said: ' This patch topped the list when Microsoft patched IE. However, this is also an update for IE9 and we can see the fact that Microsoft had this error at the time they released IE9 or a few days slower . '

Storms has alluded to Microsoft's testing process, which usually ends in about 2 months or more. This time may not have allowed the patch for IE9 to "appear" in April, the first update is expected to be released after the browser launches.

Microsoft has been familiar with patching IE in even months; The last time they released a security update for their browser was April, which patched five vulnerabilities. However, this patch is the first update for IE9, the web browser they launched in mid-March. According to Microsoft, 4 out of 11 patches in MS11-050 affect IE9.

9 out of 11 vulnerabilities in IE that Microsoft patched yesterday could be attacked with a "drive-by" attack that requires users to simply access a site that contains malicious code.

MS11-052 is also related to IE although Microsoft has 'labeled' it as an update for Windows.

Bryant said: ' The vulnerability is inside Windows, but the attack direction comes from Internet Explorer. However, IE9 is not affected by this update. It was focused before IE9 was released . '

Only IE6, IE7 and IE8 could be 'exploited' to exploit the vulnerability patched by MS11-052, not the main browser IE9.

MS11-043 and MS11-042 are also mentioned by Bryant. The first update, which fixes a bug in the way Windows holds the SMB (server message block) protocol, can be used in an attack that Bryant calls "browse-and-own".

A good sign, according to both Bryant and Storms, is that many companies have blocked outbound SMB traffic right at the firewall, helping to prevent the patched hole in MS11-043.

Storms said: ' I think this vulnerability is unlikely to be exploited in the real world .'

MS11-042 updates DFS (distributed file service), used by administrators to group shared folders on different servers, to patch two vulnerabilities - one serious, one important, in Windows. Microsoft has evaluated this vulnerability as serious only on Windows XP and Windows Server 2003 operating systems.

Kandek said: " [MS11-042 and MS11-043] is very interesting, but I think technically it will make it more difficult for attackers ."

In fact, Kandek rated MS11-045, the eighth update for Excel, the spreadsheet included in Microsoft Office on Windows and Mac, which is the second danger in the collection yesterday, just after the update set. for IE is MS11-050 / MS11-052.

Kandek said: ' Microsoft only ranks them as important because users are required to open a file that the attacker provides. However, we believe that bad guys have enough skills and qualifications to create attractive enough files to attract users to open them . '

He added: ' If it is an attacker, this is definitely the method I will use because users always tend to trust Excel files '.

Of the 8 patches patched in Excel updates, only one affects the latest version of Excel: Excel 2007 and Excel 2010 on Windows; 2 versions affect Excel 2011 on Mac.

Storm said: ' Obviously newer Office software is usually better and has more security .'

Microsoft also provides a patch for SQL Server, Forefront 2010, .Net Framework and Silverlight platform as well as the virtual hypervisor included in Windows Server 2008 and Server 2008 R2.

The June update can be downloaded and installed through Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

4 ★ | 1 Vote | 👨 110 Views
« PREV POST
NEXT POST »