Microsoft delivered 10 security updates yesterday to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office and SharePoint. Microsoft labeled three as “critical” – because they allowed attackers to remotely install malware on victim machines – two address issues in Windows and the third, tackles Internet Explorer (IE).
The IE update fixes vulnerabilities that fetched researcher Peter Vreugdenhil $10,000 during a security conference contest in Vancouver. He was able to take full control of a Windows 7 machine despite protections such as DEP, or data execution prevention, and ASLR, or address space layout randomization.
Internet Explorer has been subjected to a staggering number of security vulnerabilities and concerns with much Web-borne malware made possible through exploitable bugs and flaws in its security architecture. Sometimes it requires nothing more than viewing of a malicious Web page in order to install – known as a drive-by-install, but then there are also attempts to trick the user into installing malicious software via Active-X controls. DirectShow exploits, which emerged more recently, are a growing threat vector.
Yesterday’s security bulletin includes MS10-033 for DirectShow and MS10-035, which addresses six different vulnerabilities in IE. As Dave Marcus, director of security research and communications at McAfee Labs points out “These vulnerabilities could be exploited to booby trap Web sites, Office and Windows Media files to gain control over vulnerable computers simply by tricking victims into opening a malicious file or clicking a malicious link.”
Given the nature of these vulnerabilities, we recommend several reinforcing protections to help you shield your systems, users, and data.