Microsoft to plug critical drive-by attack flaw
By Stewart Mitchell
Posted on 6 Jul 2012 at 10:59
Microsoft will release nine patches – three of them critical - in next week’s Patch Tuesday security update.
The three critical patches fix vulnerabilities in Microsoft software that allow remote code execution, two of them in Windows and one in Internet Explorer, the company said in its advance notice bulletin.
Although Microsoft does not disclose which exact vulnerabilities will be patched until it's ready to deliver, security experts believe the key patch will be to plug a vulnerability spotted last month that could be used to install malware in drive-by attacks.
“Bulletin 1, rated ‘critical’, affects all versions of Windows, and we expect it to address the XML vulnerability disclosed by Microsoft in June's Patch Tuesday as KB2719615,” said Wolfgang Kandek, CTO of security firm Qualys.
The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer
“This bulletin will be the highest priority for users, at least for those who did not apply Microsoft's FixIt supplied in the advisory.”
According to Microsoft, there are already attacks targeting the vulnerability that could allow hackers to install key loggers or other malware on computers.
“Attacks leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0.,” the company said. “The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
"An attacker would have no way to force users to visit such a website, but would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website."
The “important” patches address information disclosure, remote execution and elevated privilege issues in Windows, Office, Windows Server and Microsoft Development Tools.
- Adobe Dreamweaver CC review: first look
- Huawei Ascend P6 review: first look
- Adobe Illustrator CC review: first look
- Let MPs tell us what they really want ISPs to block
- Adobe Photoshop CC review: first look
- WWDC 2013 and iOS 7 launch: live blog
- Sony VAIO Pro review: first look
- Want child porn blocked? Meet the IWF
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Google two-step verification: a must for business email
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?