Monday, 7 January 2013

January Patch Tuesday a must for all Windows 7 users

This month's (Jan) Security Update from Microsoft may turn out to be a critical update for a number of Windows 7 (and Vista) users.

Earlier this month, Microsoft released a Security Advisory that detailed a serious electronic exploit for Internet Explorer 7, 8 and 9.  As quoted from Microsoft, 
"Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8,” a security advisory reads. “Microsoft is aware of targeted attacks that attempt to exploit this … remote code execution vulnerability.”
FireEye's Security blog provides more details on the nature of the attack with the following comments; 
"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.
This is a pretty serious Zero-day flaw and affects all users of Microsoft's Internet Explorer bar the latest version 10. In fact, the recommendation from Microsoft is to upgrade to version 10. The problem here is that IE 10 is not available for Windows 7 users - only Windows 8. Ooops!

There is a manual fix - but for most large organizations, it would be almost impossible to deploy successfully as is requires use of the Microsoft SHIM technology, command line updates and probably more importantly managing at least 29 different (major and minor) versions of Microsoft core HTML processing DLL (MSHTML.DLL). Here is a snippet of the different possible combinations from the Microsoft KB article;

In this month's Advance Notification, there are 7 Security updates for Jan, 2 of which are critical and relate to Remote Code Execution. Let's hope this IE hole is patched in January's patch update or we all might have to get a lot more familiar with shipping SHIM fixes to our desktop. 

Hint: this is something to avoid... 

References:
Microsoft Advance Security Notification

CFR Watering Hole Attack

Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution


No comments: