Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft on Tuesday delivered two patches to address three vulnerabilities, but because of default settings, built-in protections and unaffected newer versions, experts don't anticipate widespread attacks to occur.
Bulletin MS11-035 is the most pressing of the two fixes, as it corrects a single critical vulnerability in Windows Internet Name Service (WINS), which is not turned on by default.
The flaw can be exploited, however, if an attacker sends malicious code to a targeted system that is running WINS.
"What might make the WINS vulnerability appealing to attackers is that it is a server-side issue," Symantec Security Response intelligence manager Joshua Talbot said.
"That means an attacker wouldn't have to trick a user into doing anything. All they would have to do to exploit this is find a server running the vulnerable service and send that machine a malicious string of data."
The issue affects Windows Server 2003 and 2008, but Talbot said built-in security features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), "will probably keep most attackers from achieving a complete takeover."
MS11-036, meanwhile, addresses two vulnerabilities, rated "important," in PowerPoint running in Office 2003, 2007 and XP, and Office 2004 and 2008 for Mac. According to Microsoft, the Office flaws can lead to remote code execution if a user is tricked into opening a malicious PowerPoint file. The attacker may then be able to obtain the same rights as the victim.
Office 2010 for Windows and Mac, however, are not affected
Despite the mitigations and that Tuesday's update fixes three issues that were privately known, attackers may act quickly to create exploits, experts said.
The update also marked a revamped version of Microsoft's exploitability index.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.