A patch for the kernel-level graphical device interface was part of the company's December 2013 Patch Tuesday security updates. The Redmond, Wash.-based software maker repaired 24 flaws across its product line, releasing 11 bulletins this month, including five rated critical that address serious flaws in Internet Explorer, Windows, Microsoft Exchange and Microsoft Office.
The company issued an advisory in November acknowledging ongoing zero-day attacks targeting an error in the way Windows handles TIFF graphics files. The threat impacts users of Microsoft Office 2003 through 2010 as well as all supported versions of Microsoft Lync running on Windows XP, Windows Vista and Windows 7.
[Related: Top 5 Zero-Day Threats Of 2013 ]
A known zero-day vulnerability that surfaced last week in Windows XP remains open while engineers work on a patch. Security experts are downplaying the threat associated with the second zero-day, because an attacker would need local access to Windows XP in order to fully exploit the error to gain elevation of privileges on the system. "We recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems," wrote Dustin Childs, group manager of response communications in Microsoft's Trustworthy Computing unit, in the Microsoft Security Response blog.
IT teams need to look carefully at the impact of zero-day vulnerabilities across the organization, say security experts who point to a string of zero-day exploits that have been used in targeted attacks this year. Businesses are already struggling to maintain basic security controls, said Chris Camejo, who heads assessment services at managed service provider NTT Com Security. Zero-days are helping the offense win, Camejo said.
"There's a big market out there for zero-days with all kinds of threat actors out there who could potentially use them," Camejo told CRN.
In addition to the update fixing the zero-day vulnerability, solution providers told CRN that businesses should address an update repairing seven flaws in Internet Explorer. A coding error in Microsoft's Scripting Runtime Object Library is also a serious problem, they say. Attackers could use both updates in drive-by attacks or to get users to visit a malicious website.
Attackers can target flaws in the browser and scripting engine on all currently supported versions of Windows, which means fixing them should be a priority, said Wolfgang Kandek, chief technical officer at vulnerability management vendor Qualys Inc.
Kandek said patching administrators should also look at Microsoft's update to Exchange Server, which resolves three vulnerabilities addressing errors in Outlook Web Access and a cross-site scripting error. A successful attack could enable a complete takeover of the mail server, Kandek said. The patches update the Oracle Outside-In Libraries and impact users of Exchange Server 2007, 2010 and 2013. "There haven't been any active attacks in the wild, but the information is available for someone to create an attack targeting Microsoft Exchange fairly quickly," Kandek said.
Microsoft also addressed a vulnerability in Microsoft Office. The software maker said it has detected attacks targeting the coding error, which impacts users of Office 2013. An attack could expose access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site, Microsoft said. In addition, Microsoft issued repairs to SharePoint Server, the Windows kernel and Microsoft Office.
PUBLISHED DEC. 10, 2013
related stories
trending stories
Video
sponsored resources

APC by Schneider Electric
IoT Platforms 360

Field Engineer
On Demand Workforce 360

Cylance
Cylance Security Learning Center

Cambium Network
Cambium Networks

HPE Zone

Veeam Learning Center

Panda Security
Cyber Security 360

Scale Computing
Scale Computing

Linksys
SMB Midmarket Opportunities 360

BCM One/Verizon
BCM One Learning Center

ConnectWise
ConnectWise

StorageCraft
Disaster Recovery Learning Center

Cohesity
Cohesity Learning Center

Intermedia
Intermedia: Uniting Communication and Collaboration

NPD
Industry Trends 360

AlienVault
Cloud Security 360

Symantec
Symantec Endpoint Protection Mobile

Dell EMC
Machine Learning Knowledge Center

Eaton
Eaton Learning Center

Star2Star
Unified Communications 360

BAE Systems
Data Breaches 360

Dell EMC
Software-defined Data Center 360

Dell Technologies
IoT 360

Gemalto
Cloud Based Data Protection 360

Commvault
Commvault Learning Center

RSA
RSA

Siemon
Network Infrastructure 360

Comcast
Comcast Business Learning Center

HP
Toner and Ink

NetApp
NetApp Data Driven Learning Center

Dell EMC Monitors
Displays and Monitors 360

Fluency Security
Security as a Service 360
