Microsoft: Critical Exploit in Windows, Silverlight and Internet Explorer. Patch Expected Next Week
A critical flaw in Internet Explorer can make it possible to attack web browser through the code placed on compromised websites. According to Microsoft, all versions of Internet Explorer and Windows are going to receive critical updates on Patch Tuesday next week that would include the recent Internet Explorer zero-day threat patch.
The soon-to be-dropped Windows XP will also receive its penultimate patch next Tuesday, and it will include patches and fixes for Windows XP and all other versions of Windows. According to the Microsoft Security Bulletin Advance Notification for March 2014, we will receive a total of five updates next week, and two of them address critical vulnerabilities.
According to Microsoft, the recently discovered zero-day flaw in Internet Explorer will be patched and rolled out within the framework of the upcoming update. The vulnerability in question affects Internet Explorer 9 and 10 only. Apparently, more than one vulnerability has to be fixed because this month’s advance notification lists only one Internet Explorer update. The Internet Explorer exploit made it possible for remote code execution, and was rated as critical for all versions of Windows.
Another Windows vulnerability also enabled for remote code execution; it affects all Windows versions except for Server Core and RT. Apparently the only Windows version not to receive any critical updates this month is the Server Core.
The final update patches a critical vulnerability or multiple vulnerabilities in Microsoft Silverlight 5, including the one for Mac, and this fix patches a critical security feature bypass.
Two weeks ago, we heard Microsoft confirm one vulnerability in Internet Explorer 9 and Internet Explorer 10 after Fire Eye security company discovered multiple attacks that targeted current and former US military personnel visiting the Veterans of Foreign Wars website (VFW). Websense, another security company, also reported that it located an exploit leveraging the same Internet Explorer bug on the website for a French Aerospace Association, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), that includes defense and space contractors all over the world.
Websense quoted evidence that the vulnerabilities have been exploited since January 20, 2014 at least. Later on,chief technology officer at Seculert, Aviv Raff, reported that the attacks discovered by both by Websense and FireEye originated from two particular criminal groups.
Even though Microsoft continues characterizing these attacks as “limited in scope,” Symantec called to action last week. The California-based security products and antivirus vendor said its telemetry displayed that attacks targeting Internet Explorer were "expanding to attack average Internet users".
The critical vulnerability could enable attackers to hijack a PC running any version of Windows except the RT running on Microsoft Surface RT and Surface 2 tablets.
Recently, we reported Windows XP will be receiving last update on 8th of April, and Microsoft will no longer ship patches for known XP vulnerabilities, even critical ones. However, Microsoft will continue to provide critical updates to enterprises that have paid for a prolongation of support, which costs about $200 per one PC for the first year.
Microsoft has invested a fortune in ad campaign to boost Windows 8 sales and prepare the ground for Windows 8.1, including a dubious appeal to technically savvy users to help their friends and family ditch XP. Nevertheless, the Redmond-based company’s efforts have not resulted in the success they were hoping for: statistics company Net Applications released the report earlier this week that despite Microsoft’s significant ad campaign, XP still powered 29.5% of the world’s personal computers, with Windows 7 being in the 1st place, Windows XP in the second and Windows 8 only on the third.
Other exploits in Windows could be used by perpetrators to get additional access rights and bypass an unnamed security feature within the operating system. This Silverlight 5 patch will also come next week, and even though Microsoft has committed to keeping support for Silverlight until 2021, the company has ditched further technology development, which remains critical for Windows Phones, at least for now.
Expect the next Microsoft release with the above-mentioned patches next week on March, 11, around 1 p.m. ET.
