In its first round of security updates that exclude Windows XP, Microsoft repaired 13 vulnerabilities across its software line, addressing serious errors in supported versions of Windows and Internet Explorer.
The Redmond, Wash.-based software giant issued eight security bulletins on Tuesday, including two critical bulletins and six rated important. The updates address flaws in Windows, its SharePoint server software and Office.
Businesses appear to be heeding the message to upgrade Windows XP systems, say security experts. The number of Windows XP users has dipped below 10 percent, according to vulnerability management platform maker, Qualys Inc., which analyzed its customer base for the estimate. Many of the security bulletins issued Tuesday also affect Windows XP and Office 2003 users, said Qualys CTO Wolfgang Kandek.
Businesses that continue to maintain Windows XP systems should anticipate attacks that target flaws in the latest round of updates, solution providers tell CRN. Criminals move quickly to reverse engineer patches and create exploits that target the vulnerabilities, said Bob Coppedge, of Hudson, Ohio-based managed services provider Simplex-IT. Coppedge said Windows XP users got a gift when Microsoft included them in the emergency, out-of-band update on May 1.
"From Microsoft's perspective that patch wasn't technically difficult to push out," Coppedge said. "If you had that kind of show-stopping issue so soon after XP support was dropped and Microsoft did nothing, it would have been a PR disaster for them."
Many of the vulnerabilities that are addressed in Microsoft's May, June and July round of security updates should be a good indicator of whether attackers are going to have any major success targeting Windows XP systems, said Peter Hesse, president and founder of Chantilly, Va.-based solution provider Gemini Security Solutions. In a recent interview, Hesse said firms with remaining Windows XP systems should have already taken measures to reduce the risk of an attack.
Microsoft is urging businesses to address three bulletins quickly beginning with a flaw rated important that could enable an attacker to bypass a vital security feature in Windows.
The flaw in the common controls library in Microsoft Office can be exploited remotely, allowing an attacker to bypass Address Space Layout Randomization, a security feature designed to prevent malicious code from executing in system memory. When combined with another vulnerability, it could be used by criminals to take complete control of a victim's system, Microsoft said. It impacts all currently supported versions of Office.
A vulnerability that can enable an attacker to steal encrypted passwords stored in Active Directory Group Policy preferences is rated important by Microsoft, but the vendor is still telling patching administrators it deserves their upmost attention. The Windows error can give malicious insider or an external attacker the ability to elevate their privileges and ultimately gain access to sensitive systems that are normally restricted.
The company also issued another Internet Explorer update in less than a month, repairing two critical vulnerabilities in the browser. The memory corruption error impacts all currently supported versions of Internet Explorer. A critical update to Microsoft SharePoint Server also addresses multiple vulnerabilities and is designed to block attacks that can target the flaws remotely.
Microsoft's latest round of updates reissues the emergency out of band update for users on supported platforms. Criminals were actively targeting an Internet Explorer vulnerability in targeted attacks detected by security vendor FireEye. Once the emergency update was release, the scope of the attacks, which first targeted firms with ties to the defense sector and financial industry firms, was extended to a broader variety of organizations, FireEye said.
Patching administrators had double duty on Tuesday. Microsoft's May Patch Tuesday runs parallel to regular updates issued by Adobe Systems Inc. The software maker issued patches addressing serious errors in Adobe Reader and Acrobat as well as its ubiquitous Flash Player software. The firm also issued a temporary "hot fix" for users of Adobe Illustrator graphics editor running on Windows and Mac systems.