Redmond on Tuesday released 14 security bulletins to address vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Exchange, and Internet Explorer. As usual, Microsoft is encouraging customers to apply them all. The question is, which ones to apply first. We turned to security analysts from advanced threat protection firm Tripwire to get some feedback.
Here's the big picture: The March Patch Tuesday update addresses 10 vulnerabilities Microsoft has labeled as reliable attack vectors for remote code execution in the latest versions of affected products, according to Craig Young, security researcher for Tripwire.
Focus on FREAK
"The critical vulnerabilities affecting Internet Explorer, Microsoft Office, and the Adobe font driver should be top priority for both enterprise and home users as they provide the means for attackers to carry out effective social engineering-based attacks," Young said.
Young noted that MS15-031, which addresses the so-called FREAK attack, will be getting a lot of attention as well. The FREAK attack is possible when a vulnerable browser connects to a susceptible Web server -- a server that accepts "export-grade" encryption, according to FreakAttack.com, a site dedicated to tracking the impact of the attack and helping users test whether they're vulnerable. Windows is vulnerable.
"While this attack does present realistic risk to users, particularly when using public Wi-Fi, the attack is still rather targeted because to be successful an attacker must control some portion of a network and select specific secure Web sites that still support export-grade cipher suites,” Young said.
The 'Kitchen Sink' Fix
Tyler Reguly, security researcher for Tripwire, told us with 14 bulletins, Microsoft seems eager to fix everything this month. From Remote Desktop to Exchange, NetLogon to SharePoint, and Office to VBScript, everything seems to be covered, he said.
"I was surprised that I didn't find a bulletin entitled, ‘Vulnerability in Kitchen Sink allows Faucet Leakage When Disabled,'" Reguly said. He agreed with Young that the fix for FREAK will dominate IT conversations, adding that one of the more notable points may be that Apple managed to ship an update before Microsoft, which may very well be a first.
Until Microsoft's announcement regarding FREAK Thursday, it was believed the vulnerability only affected the Android and Apple Safari Web browsers that rely on OpenSSL to establish secure connections.
Thousands of Web sites are believed affected. A few of the more popular ones are AmericanExpress.com, Groupon.com, NationalGeographic.com, Bloomberg.com and TinyURL.com, according to FreakAttack.com. As for Microsoft, the company said it was "actively" working with partners in its Microsoft Active Protections Program to provide information that can be used to offer broader customer protection.
"With SharePoint, NetLogon, Exchange, and RDP in the list, this month is a good reminder to administrators to close the doors on any unnecessary network services and to shore up access to those that are needed," Reguly said. "It's also a good time to remind end users about proper security hygiene and prudence when dealing with unexpected files, as we have updates for VBScript, IE, Office, and the Adobe Font Driver.”
Read more on: Microsoft
, Patch Tuesday
, Network Security
, Data Security
, Internet Explorer
, Microsoft Office
, Microsoft Exchange
, CIO Issues
, Tech News