Urgent! Update your Windows to patch several critical vulnerabilities‏


Updating Windows

Microsoft published a security bulletin this April after patching several vulnerabilities in their operating systems and applications. Updates for Microsoft Office, Internet Explorer and several other Microsoft applications are included. This is an important release as many of the vulnerabilities fixed were massive in scale and severity.

Microsoft usually releases security patches on the 2nd or 4th Tuesday of each month (in North America). This has lead to the day being referred to as “Patch Tuesday” or “Update Tuesday”. Microsoft also has a tendency of releasing more updates in even numbered months like February, April and so on as compared to odd numbered months. In any case, releasing security fixes regularly is definitely a good practice.

We strongly recommend all users to update Windows installations.

Several unpleasant situations avoided

Some of the major fixes are:

Cumulative Security Update for Internet Explorer (3038314): This fixes the remote code execution vulnerability in IE. The leak made it possible to execute a malicious code remotely by designing a suitable website, and having the same rights and privileges as the current user. This was a massive vulnerability and could have allowed cyber criminals to literally take over your computer!

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019): Similar vulnerabilities in Microsoft Office were also patched. Due to this vulnerability, a special MS Office file (like a malicious word document) could also allow attackers to execute their code on the victim’s system.

Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553): Attackers could also execute code remotely by sending a specifically crafted HTTP request to a vulnerable Windows system. This is probably the most severe security threat since it allows hackers to take over a system by simply sending an HTTP request. After generating the malicious request, cyber criminals could target every possible webserver until they find one that is vulnerable. The issue could be resolved temporarily by disabling IIS kernel caching, but that could affect the performance of the system.

According to Wolfgang Kandek, CTO at Qualys:

“An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account. The attacker would then use an exploit for a second local vulnerability to escalate privilege, become administrator and install permanent exploit code. The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the Internet.”

It is expected that we will see several attempts by cyber criminals to break into windows webservers using this vulnerability. Surprisingly though, Windows Server 2003 IIS is not vulnerable, meaning the issue was created in later releases.

Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576): This vulnerability allows attackers to run their code with elevated privileges by designing a suitable application.

Vulnerability in .NET Framework Could Allow Information Disclosure (3048010): This vulnerability in .NET could be exploited by sending a specifically crafted request to an affected server that has custom error messages disabled. This would allow the attacker to retrieve sensitive information by viewing parts of the web configuration file. This is a major concern since there are plenty of Windows servers deployed in corporate environments holding financial and sensitive data.

Microsoft has released the patches, but to ensure that the above scenarios do not take place, users must install security updates. Windows automatically installs all important updates unless, the feature is turned off by the user. We strongly recommend keeping your Windows installation up to date to avoid many such threats.

Have a nice (patched-up) day!