Windows 8 hasn't even been on sale for a month yet but is already the
recipient of three critical security updates via Microsoft's monthly Patch
Tuesday security bulletins, each of which will block flaws that allow remote
execution of code on targeted machines.
That means flaws in the operating system can be exploited by an attacker
without the user of the machine executing a program or opening a document.
While the new operating system has been designed to be significantly more
secure than its predecessors, it still contains legacy code from earlier
operating systems, which may contribute to the problem, says Marcus Carey, a
security researcher at Rapid 7.
Windows Server 2012—another recent new Microsoft release—falls prey to the
same vulnerabilities, according to the advanced notification the company issued
about its November bulletins, which become available Tuesday.
"This may come as a surprise to many who expected that Windows 8 and
Windows Server 2012 to be much more secure than legacy versions," Carey
says in a written statement. "The truth is that Microsoft and other
vendors have significant technical debt in their code base which results in
security issues." Technical debt refers to outdated legacy code and in a
security context it means vulnerable code.
IE 9 also affected
In all, there will be six security bulletins this month, four of them
critical. Besides the three affecting Windows 8 and other Windows platforms,
the fourth affects Internet Explorer 9 and could enable a man-in-the-middle
attack leading to remote code execution.
"Nothing is under active attack; however, this is a high priority
update and should be considered the highest priority for those running Windows
7 or Vista," says Paul Henry, a security and forensic analyst with
Lumension.
One of the critical bulletins deals with a vulnerability that exposes a
system to remote code execution via the way the operating system kernel is used
to render font types. Specially crafted fonts embedded in Web pages, for
example, can generate exploits when they are rendered. Known as Windows True
Type font parsing, these exploits have been described by US-CERT as part of
Duqu malicious software.
No comments:
Post a Comment