Patch Tuesday too late for many bugs
Microsoft has issued security fixes for 23 issues in its monthly update. The most striking note is that six bugs were already being actively exploited, and hackers appear to have already had a good idea how to exploit a further four.
The fixes solve problems including critical vulnerabilities in Excel, Word and WordPad where opening infected files could leave your computer prey to remote code execution. There are also critical issues with Internet Explorer 5 through 7 (triggered by visiting an infected site), and in Windows’ HTTP services.
With the bugs for Excel and Word, it’s already know that hackers have exploited the problem (though Microsoft describes the attacks as limited). There are several other bugs where hackers have posted proof-of-concepts: a demonstration that a particular method could conceivable be used for an attack.
In some senses, the number of zero day bugs (those where hackers knew how to exploit them before the fix was issued) is a little misleading this month as they aren’t all issues which have developed since the last update: Microsoft has gathered together fixes for bugs which have been around for several months. But while it’s welcome news that the firm has finally fixed these problems, it’s not exactly deserving of praise: it simply means some issues have been a risk for even longer.
As you’ve probably gathered, this isn’t a month to delay installing the security updates if you don’t use the automatic installation feature. If you use any of Word, Excel or Internet Explorer, those should be priority updates, while all users should get the HTTP patch up and running immediately.
Surprisingly there’s no fix yet for the problem with PowerPoint which Microsoft announced earlier this month. That’s despite the knowledge that hackers were already attempting to exploit the problem before Microsoft’s announcement, which no doubt attracted further attention from would-be attackers.
Related Posts:
