Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Microsoft, Adobe Release Critical Security Updates

Microsoft, Adobe Release Critical Security Updates

Microsoft has released security improvements to Internet Explorer, fixing a vulnerability that could allow an attacker to take control of a user's system.

In the November 11 update MS14-065: Cumulative security update for Internet Explorer, Microsoft report that 17 security vulnerabilities in Internet Explorer are resolved, the most severe being a Remote Code Exploitation.

The security vulnerability works where users might be deceived into clicking a link redirecting them to what Microsoft describe as a "compromised website or websites that accept or host user-provided content or advertisements."

Such a website could contain malicious content designed to exploit these specific vulnerabilities and allow an attacker to potentially take complete control of a user's system. If the user was logged in as admin, this would allow an attacker to not only install programs on the user's system, such as malware designed to capture keystrokes, but also give them complete access to a user's private data.

However, in the article IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows on Robert Freeman, manager of IBM X-Force Research, mentions that the issue was reported to Microsoft with a working proof-of-concept back in May 2014 -- and the issue is far older.

In his article, Freeman says:

The buggy code is at least 19 years old and has been remotely exploitable for the past 18 years. Looking at the original release code of Windows 95, the problem is present.

In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).

The issue is resolved in Security Bulletin MS14-065, and Microsoft state in their update that any attacker would not be able to force users to view the malicious content. Instead, an attacker would need to rely on a user clicking a link sent through email or instant messenger, or by opening an attachment sent in an email.

Aisde from the update for the critical Remote Code Exploitation vulnerability, Microsoft has also addressed a security update for Adobe's Flash Player. While Adobe's Security Bulletin does not go into specific details of the vulnerability, it lists 18 separate updates for its Flash player, including Windows, and states that the vulnerability "could potentially allow an attacker to take control of the affected system."

The updates to Adobe's flash player made the news across the internet on various websites dedicated to online security, being reported on (Adobe, Microsoft Issue Critical Security Fixes) and (Adobe Fixes 18 Vulnerabilities in Flash Player) among others.

In his blog post Adobe Patches 18 Vulnerabilities in Flash, on author Chris Brook comments:

In October, one week after Adobe pushed its last handful of patches for Flash, attackers began bundling one of the fixed vulnerabilities (CVE-2014-0569) into the Fiesta exploit kit.

And that it "remains to be seen" if the most recent patches will eventually be incorporated into a future exploit kit.

Away from its security updates, Microsoft also released updates to blocking of out-of-date ActiveX control, as well as out-of-date Silverlight and improvements to the Enterprise Mode Site List. More information on the Enterprise Mode Site List can be found here.

Adobe recommends users update their software installations, and can go here for more information. Windows users should use the Windows automatic updating feature to install the update from Microsoft Update from the Microsoft Safety and Security Center website.

A spokesperson responded to InfoQ's request for comment that Microsoft had "nothing to add at this time" beyond the description in Security Bulletin MS14-064.

Rate this Article