Breaking World News!

Stay current with daily news updates in health, entertainment, business, science, technology and sports.

Home
Formuła 1

Patch Tuesday Addresses Client-Side Vulnerabilities

April 9th, 2008 by

Another month, another Patch Tuesday. For April, Microsoft has issued eight security bulletins that address 10 vulnerabilities, five of them rated critical.

All the bulletins address client-side vulnerabilities, continuing a trend reported this week in Symantec’s Internet Security Threat Report. The report found that in the second half of 2007, more than half of patched operating-system vulnerabilities were browser and client-side vulnerabilities.

Scripting Stands Out

While all of Tuesday’s security bulletins are serious, the vulnerabilities in the VBScript and JScript engines stand out because they ship on Windows by default and are tied to the operating system, according to Ben Greenbaum, senior research manager at Symantec Security Response.

“An attacker need only compromise and modify any Web page, which, when viewed by a user in a browser that uses these engines, will result in the execution of attacker-supplied code on the user’s computer,” Greenbaum said. “This attack requires no additional user action or intervention to exploit.”

Microsoft actually reintroduced the VBScript and JScript fix that was pulled in February. Sheldon Malm, director of security research and development for nCircle, a network-security firm that works with companies like Visa, US Cellular and Archer Daniels Midland, has been watching this one closely.

“We’ve been very concerned about this one. It’s another case where Web sites hosting third-party content can be used in multi-staged attacks,” Malm said. “This is a particularly troubling trend for users because trusted sites can be used in an attack without compromising the site itself. One common example of this in action would be serving malicious ads on an otherwise trusted Web site.”

Three Are Very Critical

Of the critical patches, Qualys suggests IT departments give three immediate attention: MS08-021, MS08-022 and MS08-023. These three, relating to the Graphical Device Interface (GDI), ActiveX controls, and the Visual Basic (VBScript) and JavaScript (JScript) engines, contain…

Posted in


(comments are closed).