Microsoft on last Tuesday released fixes for critical vulnerabilities in Internet Explorer, Microsoft Office, SharePoint, and the Windows operating system, including patches for two different zero-day vulnerabilities. But it has yet to patch a zero-day vulnerability that was first spotted in late November. The fixes came as part of Microsoft’s regular patch-release cycle, which this month addressed 24 different vulnerabilities, as documented in 11 Microsoft security bulletins. Five of those bulletins were rated as “critical,” meaning the flaws could be exploited remotely by attackers to take full control of a vulnerable system. Multiple information security experts have recommend starting with the fix for a zero-day Microsoft Graphics component memory corruption vulnerability (CVE-2013-3906), which was first discovered in early November via in-the-wild attacks. “The vulnerability could allow a remote-code execution if a user views TIFF files in shared content,” said Microsoft. Exploit code for this bug has also already been built into the open-source Metasploit penetration testing tool. <more>

Leave a Reply

Your email address will not be published. Required fields are marked *