Microsoft mitigated 64 vulnerabilities in the latest Patch Tuesday. In all Microsoft released 17 security bulletins. The gigantic security update by the developer also includes patch for four privately disclosed vulnerabilities and one publicly disclosed vulnerability in Internet explorer (IE). The company has rated the update as critical on Windows clients for IE6, IE7 and IE8 and moderate for IE6, IE7 and IE8 on Windows servers. The security flaws do not affect IE9. The security flaws could allow remote code execution, if the user views a specially crafted malicious web page on IE. Exploitation of the security flaws could enable the attacker to gain the same rights as those of the user account. The update improves the way IE manages objects in memory, and content and script during some processes.
One of the five vulnerabilities mitigated is a use-after-free bug, which was successfully exploited by security researcher Stephen Fewer in Pwn2own contest at CanSecWest Conference held earlier this year. Fewer, associated with Harmony security used three vulnerabilities to exploit and escape the protected mode of the browser. Microsoft is working to resolve the other two vulnerabilities heap address leak and protected mode bypass, exploited by the Ireland-based security researcher. The use-after-free bug and information leak vulnerabilities do not affect IE9 as the issue was identified through fuzzing and resolved by the company's professionals during the development of version 9.
Security flaws in software are common. IT professionals are required to regularly update their skills by attending security conferences, webinars and undertaking online IT degree programs.
Developers encourage researchers to identify and report vulnerabilities prior to their exploitation by the cybercriminals.
Some of the mitigated vulnerabilities were reported by security researchers affiliated to Google and VeriSign. Proactive approach is crucial to deal with the ever growing cyber threats. Professionals qualified in secured programming, IT degree programs and penetrating testing may help software developers in timely identification and mitigation of security flaws.
Microsoft releases security updates on every second Tuesday of a month. Security experts have advised users to immediately apply the patches provided by the company in the mega security update. Internet users must use genuine software and enable automatic updating to allow automatic download and installation of security updates. Users must resist the tendency to use pirated and cheap software as they adversely affect the functioning of the computer system. Use of counterfeit software also deprives users of the opportunity to benefit from regular security updates and recommendations from software developers. They must also resist from opening e-mail attachments received from suspicious and unknown sources. They must install and update security solutions to safeguard computers against malware and other malicious downloads. Employees could be made aware of the security threats through regular huddle sessions, e-learning programs and encouraging them to undertake online IT courses on cyber security. Organizations must restrict user rights on computer systems to avoid execution of malicious code and compromise of confidential information. Security professionals must keep track of the security updates and threat alerts to identify and apply relevant patches.