Lurking underneath the six Microsoft April Cumulative Security Updates to patch 11 vulnerabilities in Windows and IE is a really dangerous vulnerability that you should patch immediately if not before. Neowin reported:
This security update resolves five privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user visits a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.
According to Darknet, The Darkside, Microsoft would say "there have only been 'limited attacks'," but the Big M has been "hiding some more serious security issues under the carpet. Apparently attackers are already exploiting the MS12-027 flaw in ActiveX in the wild." There's more about the critical vulnerability that could allow remote code execution posted on the MS12-027 bulletin.
Indeed Microsoft Security Research & Defense reported "limited, targeted attacks" in which hackers were exploiting this zero-day vulnerability in the wild. But as we've frequently seen with Adobe Reader flaws (yes, it needs updating too) if an attacker tricks a user into opening a document in your browser, it means pwnage: "browse and own." Gregg Keizer reported, "Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad -- the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 -- can hijack a PC."
Wham bam, in fact the "flaw patched by MS12-027 is a double threat." Install it first. According to Jason Miller, manager of research and development at VMware, "There are two attack scenarios. There's the malicious website [scenario] and then RTF documents, which are pretty common." And you can bet malware writers will be busy crafting malicious goodies for a computer near you soon.
MS12-024 patches a critical vulnerability in all supported versions of Windows, including the one for those of you using Windows 8 Consumer Preview. Qualys said "the bug in MS12-024 lets hackers hitch a ride inside legitimate software installation packages."
Microsoft was happy to announce, "In the US nearly 50% of Windows 7 users are experiencing the best the web has to offer with IE9." Still, not everyone is an IE fan and if you haven't deployed the patches yet, the bad news does not stop there. Darknet wrote, "And well if anyone is using Internet Exploder Explorer still - they are in trouble anyway. The scary part is, 8 out of the 11 issues patched with this update were marked as Critical and it effects IE9 - the latest version of the Microsoft browser."
Although Network World readers previously made it clear that patching Windows is a major time sink for IT departments, patch your OS, update your applications and third party add-ons as was advised in "Data, Data Everywhere. Not a Control to Waste!" That Windows Blog post stated, "The computers in your organization are only as secure as your least-patched system. I am sure that you are tired of hearing how important patching is. I remember how painful it was when I managed thousands of desktops and servers. That doesn't eliminate the fact that it's one of the most significant things that you can do to successfully reduce attacks on your clients and servers."
Last but not least in the Windows-is-giving-me-a-headache department, as Andy Patrizio reported, "it's the end of XP, Vista and Office Support as we know it" with the clock ticking down to "total extinction." Colin Neagle wrote that "when Microsoft stops supporting Windows XP," it could signal the "beginning of security nightmare" and "consumer, corporate and even SCADA systems" could be at risk. The Windows Team blog nudged customers to hurry up and switch since "Microsoft will officially end support for Windows XP and Office 2003 on April 8, 2014." According to an email from Microsoft PR, the analysis from industry-leading firm Gartner said that more than 50% of organizations that do not start deploying Windows 7 in early 2012 will not complete their deployments before Windows XP support ends, "and will suffer increased support costs."
Like this? Here's more posts:
- Indoor Navigation with Pinpoint Precision: The Better to Track You via Smartphone
- Smile for the drone: Coming to police stations near you soon
- FBI Warns Smart Meter Hacking May Cost Utility Companies $400 Million A Year
- This message will self-destruct: Destroy digital evidence before it destroys you
- Senator Al Franken: Privacy is a Fundamental Right
- Counterterrorism database stores all Americans as potential domestic terrorists
- Mass Surveillance and No Privacy Bill is 'For the Children'
- New Gov't Weapon: Warrantless Cell Phone Surveillance
- CIA wants to spy on you through your appliances
- Court to DOJ: Surfing on Work PC Isn't Hacking
- Device to suck out phone data in under 2 minutes prevents military mission failure?
- How Hacktivism Led to Discovering Digital Arms Dealers
- Yawn, pace, or stare into space? Ridiculous DHS List: You Might Be a Terrorist If...
- You consent to a search if a camera sees you? Facial Recognition vs 4th Amendment
- First Amendment Be Damned: Out of control TSA threatens bloggers
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited