Categories: PCSecurityWorkspace

Microsoft Tackles 34 Vulnerabilities In Latest Patch Tuesday

Microsoft released 10 security bulletins today to address 34 vulnerabilities, including several with Microsoft’s highest exploitability rating.

The exploitability rating ranks vulnerabilities according to the likelihood attackers will develop reliable exploit code. Three of the bulletins are rated “critical.” Among them is MS10-033, which plugs two Windows security vulnerabilities that could allow an attacker to exploit remote code if a user is tricked into opening a malicious media file or receives specially crafted streaming content.

The other critical bulletins are MS10-034, which address two Windows vulnerabilities, and MS10-035, a cumulative update for Internet Explorer that swats a number of bugs. Among them, noted Qualys CTO Wolfgang Kandek, is the bug exploited earlier this year in the Pwn2Own hacking contest at CanSecWest.

To Symantec’s Joshua Talbot, the most serious vulnerability is actually the Windows kernel TrueType font parsing issue covered in MS10-032.

Windows kernel TrueType font parsing vulnerability

“The most serious is the Windows kernel TrueType font parsing vulnerability,” said Talbot, security intelligence manager for Symantec Security Response, in a statement. “Exploiting this—likely through a drive-by download attack—would give an attacker near system-level privileges. It’s doubtful that attackers would compromise a legitimate site to exploit this vulnerability, so users should be extra cautious of social engineering tricks coaxing them to visit unfamiliar Web pages, which could contain a malicious font.”

The fixes also include a patch for a vulnerability in Microsoft SharePoint the company warned about in late April and a massive update for Microsoft Office that patched 14 vulnerabilities. “Customers should review their asset management systems and verify that all Windows XP devices have been upgraded to SP3 and that all Windows 2000 devices have been replaced or removed from the network,” advised Josh Abraham, a security researcher with Rapid7. “The most critical area of weakness for many organizations are third-party devices that are still using these operating systems. For these systems, customers will need to contact the vendor and verify the upgrade process.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

16 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

17 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

17 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

18 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

18 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

19 hours ago