Microsoft today released a critical security patch to cover a
zero-day flaw that was being used by "nation-state attackers" to hijack
Gmail accounts.
The vulnerability, originally disclosed on June 13,
affects Microsoft XML Core Services and can be exploited to launch
remote code execution attacks if a Windows user simply surfs to a
maliciously crafted website using Internet Explorer.
The MS12-043 bulletin
headlines a heavy Patch Tuesday that includes nine bulletins -- three
critical, six important -- covering 16 documented software
vulnerabilities.
This month's patch batch covers dangerous
security holes in the Windows operating system, the Internet Explorer
browser, Visual Basic for Applications and Microsoft Office.
The
Internet Explorer update is a surprise. Microsoft typically patches
the IE browser every other month (last month's updates featured a major
IE fix) but because of the severity of two critical vulnerablities, the
company decided to go back-to-back with patches for the world's most
widely deployed browser.
Here's the skinny on the Internet Explorer bulletin, via the MSRC blog:
- MS12-044 (Internet Explorer): This security update addresses two Critical-class, remote-code-execution issues affecting Internet Explorer. As with the MDAC issue, these two vulnerabilities were privately disclosed to us and we have no indication that they’re under exploit in the wild. As with the others, recommend that customers read the bulletin information and apply it as soon as possible. We have by the way increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence. We look forward to your feedback on the change.
The company is also urging Windows users to pay special attention to MS12-045, a critical bulletin that covers a remote code execution flaw haunting Microsoft Data Access Components (MDAC)
"The
issue exists in all versions of Windows, and users of any version of
Internet Explorer would potentially be vulnerable to it; however, we
received word of this issue through private disclosure and we have no
evidence that it is publically known or under exploit in the wild.
Still, we recommend that customers read the bulletin information and
apply it as soon as possible," Microsoft said.
The other six
bulletins are all rated "important" and affects Windows, Visual Basic
for Applications, and Office, including SharePoint and Office for Mac.
No comments:
Post a Comment