Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 7 MINUTES AGO.
You are here: Home / Microsoft/Windows / Patch Tuesday Focuses on FREAK Fix
Microsoft Patch Tuesday Focuses on FREAK Fix
Microsoft Patch Tuesday Focuses on FREAK Fix
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
MARCH
11
2015
Redmond on Tuesday released 14 security bulletins to address vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Exchange, and Internet Explorer. As usual, Microsoft is encouraging customers to apply them all. The question is, which ones to apply first. We turned to security analysts from advanced threat protection firm Tripwire to get some feedback.

Here's the big picture: The March Patch Tuesday update addresses 10 vulnerabilities Microsoft has labeled as reliable attack vectors for remote code execution in the latest versions of affected products, according to Craig Young, security researcher for Tripwire.

Focus on FREAK

"The critical vulnerabilities affecting Internet Explorer, Microsoft Office, and the Adobe font driver should be top priority for both enterprise and home users as they provide the means for attackers to carry out effective social engineering-based attacks," Young said.

Young noted that MS15-031, which addresses the so-called FREAK attack, will be getting a lot of attention as well. The FREAK attack is possible when a vulnerable browser connects to a susceptible Web server -- a server that accepts "export-grade" encryption, according to FreakAttack.com, a site dedicated to tracking the impact of the attack and helping users test whether they're vulnerable. Windows is vulnerable.

"While this attack does present realistic risk to users, particularly when using public Wi-Fi, the attack is still rather targeted because to be successful an attacker must control some portion of a network and select specific secure Web sites that still support export-grade cipher suites,” Young said.

The 'Kitchen Sink' Fix

Tyler Reguly, security researcher for Tripwire, told us with 14 bulletins, Microsoft seems eager to fix everything this month. From Remote Desktop to Exchange, NetLogon to SharePoint, and Office to VBScript, everything seems to be covered, he said.

"I was surprised that I didn't find a bulletin entitled, ‘Vulnerability in Kitchen Sink allows Faucet Leakage When Disabled,'" Reguly said. He agreed with Young that the fix for FREAK will dominate IT conversations, adding that one of the more notable points may be that Apple managed to ship an update before Microsoft, which may very well be a first.

Until Microsoft's announcement regarding FREAK Thursday, it was believed the vulnerability only affected the Android and Apple Safari Web browsers that rely on OpenSSL to establish secure connections.

Thousands of Web sites are believed affected. A few of the more popular ones are AmericanExpress.com, Groupon.com, NationalGeographic.com, Bloomberg.com and TinyURL.com, according to FreakAttack.com. As for Microsoft, the company said it was "actively" working with partners in its Microsoft Active Protections Program to provide information that can be used to offer broader customer protection.

"With SharePoint, NetLogon, Exchange, and RDP in the list, this month is a good reminder to administrators to close the doors on any unnecessary network services and to shore up access to those that are needed," Reguly said. "It's also a good time to remind end users about proper security hygiene and prudence when dealing with unexpected files, as we have updates for VBScript, IE, Office, and the Adobe Font Driver.”

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN MICROSOFT/WINDOWS

NETWORK SECURITY SPOTLIGHT
A security researcher has found that hundreds of different models of HP notebooks, tablets, and other devices include a keylogger that could track and record every keystroke a user makes.

CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.