Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / Patch Tuesday Focuses on Client Side
Patch Tuesday Addresses Client-Side Vulnerabilities
Patch Tuesday Addresses Client-Side Vulnerabilities
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Another month, another Patch Tuesday. For April, Microsoft has issued eight security bulletins that address 10 vulnerabilities, five of them rated critical.

All the bulletins address client-side vulnerabilities, continuing a trend reported this week in Symantec's Internet Security Threat Report. The report found that in the second half of 2007, more than half of patched operating-system vulnerabilities were browser and client-side vulnerabilities.

Scripting Stands Out

While all of Tuesday's security bulletins are serious, the vulnerabilities in the VBScript and JScript engines stand out because they ship on Windows by default and are tied to the operating system, according to Ben Greenbaum, senior research manager at Symantec Security Response.

"An attacker need only compromise and modify any Web page, which, when viewed by a user in a browser that uses these engines, will result in the execution of attacker-supplied code on the user's computer," Greenbaum said. "This attack requires no additional user action or intervention to exploit."

Microsoft actually reintroduced the VBScript and JScript fix that was pulled in February. Sheldon Malm, director of security research and development for nCircle, a network-security firm that works with companies like Visa, US Cellular and Archer Daniels Midland, has been watching this one closely.

"We've been very concerned about this one. It's another case where Web sites hosting third-party content can be used in multi-staged attacks," Malm said. "This is a particularly troubling trend for users because trusted sites can be used in an attack without compromising the site itself. One common example of this in action would be serving malicious ads on an otherwise trusted Web site."

Three Are Very Critical

Of the critical patches, Qualys suggests IT departments give three immediate attention: MS08-021, MS08-022 and MS08-023. These three, relating to the Graphical Device Interface (GDI), ActiveX controls, and the Visual Basic (VBScript) and JavaScript (JScript) engines, contain a vulnerability that can enable complete system takeover by an attacker.

By Qualys' standards, these are especially important given that all versions of Windows since Windows 2000 are affected and do not require any special software to be exploited, according to Amol Sarwate, manager of the vulnerability research lab at Qualys.

The ActiveX patch, MS08-023, is a "kill bit" that disables ActiveX controls in the Yahoo music jukebox. This is an unusual patch in that it is the first ever provided for a third-party application that is not part of a default Microsoft system download or bundle, Sarwate said. Rather, it is for an aftermarket application that users have to choose to download. This could be an indication, he continued, that Microsoft may begin to provide additional third-party patches to enable organizations to obtain important security updates from one location.

"While there are no zero-day exploits addressed in Tuesday's release, there is an alarming trend in that the majority of the patches ... address vulnerabilities contained in legacy Microsoft code," Sarwate said. "This means that code reuse from older Windows versions dating back to 2000 is rampant and therefore affects a very wide base of Microsoft users."

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.