Prepare for Record Patch Tuesday

By Tony Bradley, PC World

Next Tuesday Microsoft will unleash 14 new security bulletins, addressing a record-tying 34 vulnerabilities. In the wake of the out-of-band patch issued for the Windows shortcut security flaw, and with an upcoming out-of-band patch from Adobe as well–IT admins need to a plan of action for implementing the deluge of updates.

Issuing 14 security bulletins in one month is a new one, but the record of patching 34 different flaws is not so uncommon any more. This is the third or fourth time that has occurred in just the past year. Microsoft has experienced a feast or famine flow of updates with virtually no security bulletins one month, followed by a massive batch of security bulletins the next. Microsoft has also had an unusual number of out-of-band patches this year to address attacks against zero-day vulnerabilities.

Wolfgang Kandek, CTO of Qualys, provides a brief analysis of the upcoming Microsoft patches on his blog. “Including the LNK update, 9 bulletins have a rating of critical and affect all version of the Windows OS, Internet Explorer, Silverlight and Microsoft Office.”

However, Kandek goes on to clarify that “Windows 7 and 2008 R2 have a smaller number of critical vulnerabilities than Windows XP and 2003 in function of their improved security architecture, but are still affected by 2 critical vulnerabilities each.”

Anuncios

By Tony Bradley, PC World

Next Tuesday Microsoft will unleash 14 new security bulletins, addressing a record-tying 34 vulnerabilities. In the wake of the out-of-band patch issued for the Windows shortcut security flaw, and with an upcoming out-of-band patch from Adobe as well–IT admins need to a plan of action for implementing the deluge of updates.

Issuing 14 security bulletins in one month is a new one, but the record of patching 34 different flaws is not so uncommon any more. This is the third or fourth time that has occurred in just the past year. Microsoft has experienced a feast or famine flow of updates with virtually no security bulletins one month, followed by a massive batch of security bulletins the next. Microsoft has also had an unusual number of out-of-band patches this year to address attacks against zero-day vulnerabilities.

Wolfgang Kandek, CTO of Qualys, provides a brief analysis of the upcoming Microsoft patches on his blog. “Including the LNK update, 9 bulletins have a rating of critical and affect all version of the Windows OS, Internet Explorer, Silverlight and Microsoft Office.”

However, Kandek goes on to clarify that “Windows 7 and 2008 R2 have a smaller number of critical vulnerabilities than Windows XP and 2003 in function of their improved security architecture, but are still affected by 2 critical vulnerabilities each.” Leer más “Prepare for Record Patch Tuesday”

Microsoft sets emergency Windows patch for Monday

As exploits of the shortcut bug climb, company commits to ‘out-of-band’ update
By Gregg Keizer

Computerworld – Microsoft today said it will issue an emergency patch for the critical Windows shortcut bug on Monday, Aug. 2.

The company said that it is satisfied with the quality of the “out-of-band” update — Microsoft’s term for a patch that falls outside the usual monthly delivery schedule — but also acknowledged that it has tracked an upswing in attacks.

“In the past few days, we’ve seen an increase in attempts to exploit the vulnerability,” Christopher Budd, a spokesman for the Microsoft Security Response Center, said in a entry on the team’s blog. “We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”

Budd said that Microsoft would release the patch on Monday at approximately 1 p.m. Eastern.

Two weeks ago, Microsoft confirmed a flaw in how Windows parses shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.

The bug was first described in mid-June by VirusBlokAda, a little-known security firm based in Belarus, but attracted widespread attention only after security blogger Brian Krebs reported on it July 15. A day later, Microsoft admitted that attackers were already exploiting the flaw using the “Stuxnet” worm, which targets Windows PCs that manage large-scale industrial-control systems in manufacturing and utility firms.

Exploit code has been widely distributed on the Internet, and Microsoft and others have spotted several attack campaigns based on the bug.

One of those campaigns apparently tipped the scales toward an early patch.

The Microsoft group responsible for crafting malware signatures to defend customers using the company’s antivirus products, including the free Security Essentials software, said that an especially nasty malware family had added exploits of the unpatched shortcut flaw to its arsenal.

“Sality is a highly virulent strain … known to infect other files, making full removal after infection challenging, copy itself to removable media, disable security, and then download other malware,” wrote Holly Stewart of the Microsoft Malware Protection Center, on the group’s blog Friday. “It is also a very large family — one of the most prevalent families this year. ”

Sality’s inclusion of the shortcut exploit quickly drove up the number of PCs that have faced attack. “After the inclusion of the [shortcut] vector, the numbers of machines seeing attack attempts combining malicious [shortcuts] and Sality.AT soon surpassed the numbers we saw with Stuxnet,” said Stewart.

“We know that it is only a matter of time before more families pick up the technique,” she added.

Other security researchers had spotted Sality exploiting the shortcut bug earlier this week. On Tuesday, Trend Micro reported that the shortcut vector was being used not only by Sality, but also by other malware clans, such as the Zeus botnet-building Trojan.


As exploits of the shortcut bug climb, company commits to ‘out-of-band’ update

By Gregg Keizer

Computerworld – Microsoft today said it will issue an emergency patch for the critical Windows shortcut bug on Monday, Aug. 2.

The company said that it is satisfied with the quality of the “out-of-band” update — Microsoft’s term for a patch that falls outside the usual monthly delivery schedule — but also acknowledged that it has tracked an upswing in attacks.

“In the past few days, we’ve seen an increase in attempts to exploit the vulnerability,” Christopher Budd, a spokesman for the Microsoft Security Response Center, said in a entry on the team’s blog. “We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”

Budd said that Microsoft would release the patch on Monday at approximately 1 p.m. Eastern.

Two weeks ago, Microsoft confirmed a flaw in how Windows parses shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.

The bug was first described in mid-June by VirusBlokAda, a little-known security firm based in Belarus, but attracted widespread attention only after security blogger Brian Krebs reported on it July 15. A day later, Microsoft admitted that attackers were already exploiting the flaw using the “Stuxnet” worm, which targets Windows PCs that manage large-scale industrial-control systems in manufacturing and utility firms.

Exploit code has been widely distributed on the Internet, and Microsoft and others have spotted several attack campaigns based on the bug.

One of those campaigns apparently tipped the scales toward an early patch.

The Microsoft group responsible for crafting malware signatures to defend customers using the company’s antivirus products, including the free Security Essentials software, said that an especially nasty malware family had added exploits of the unpatched shortcut flaw to its arsenal.

“Sality is a highly virulent strain … known to infect other files, making full removal after infection challenging, copy itself to removable media, disable security, and then download other malware,” wrote Holly Stewart of the Microsoft Malware Protection Center, on the group’s blog Friday. “It is also a very large family — one of the most prevalent families this year. ”

Sality’s inclusion of the shortcut exploit quickly drove up the number of PCs that have faced attack. “After the inclusion of the [shortcut] vector, the numbers of machines seeing attack attempts combining malicious [shortcuts] and Sality.AT soon surpassed the numbers we saw with Stuxnet,” said Stewart.

“We know that it is only a matter of time before more families pick up the technique,” she added.

Other security researchers had spotted Sality exploiting the shortcut bug earlier this week. On Tuesday, Trend Micro reported that the shortcut vector was being used not only by Sality, but also by other malware clans, such as the Zeus botnet-building Trojan. Leer más “Microsoft sets emergency Windows patch for Monday”