Just hours after a Microsoft security manager said that the week's updates had patched all in-the-wild threats against Office applications, the company late yesterday acknowledged that another bug in Word is being used by hackers to commandeer computers. On Tuesday, Microsoft released 12 security bulletins with patches for 20 vulnerabilities, including six for Word and one each for PowerPoint and Excel. "All the zero-day [vulnerabilities] in Word and Office were patched Tuesday," Mark Griesi, security program manager for the Microsoft Security Response Center (MSRC), said yesterday.
Griesi said the status of the bugs and their patches -- most of which were being used by cybercriminals in targeted attacks -- was confusing. "Some of that is because in the time since the vulnerabilities began appearing, there were other reports on new zero-days," said Griesi. "But those were not new zero-days." Instead, Microsoft determined that in-the-wild exploits weren't working, or that the bugs being used had already been disclosed. The newest Word flaw fits the first scenario. On Feb. 9, McAfee Inc. researchers said that they had found another unpatched bug in Microsoft Word 2000. That same day, Microsoft reported that its analysis indicated the flaw could only crash the word processor. Such distributed denial of service (DDoS) vulnerabilities are considered less threatening, since they may not let the attacker run his own code on the compromised machine.
View: The full story
News source: Computer World
Griesi said the status of the bugs and their patches -- most of which were being used by cybercriminals in targeted attacks -- was confusing. "Some of that is because in the time since the vulnerabilities began appearing, there were other reports on new zero-days," said Griesi. "But those were not new zero-days." Instead, Microsoft determined that in-the-wild exploits weren't working, or that the bugs being used had already been disclosed. The newest Word flaw fits the first scenario. On Feb. 9, McAfee Inc. researchers said that they had found another unpatched bug in Microsoft Word 2000. That same day, Microsoft reported that its analysis indicated the flaw could only crash the word processor. Such distributed denial of service (DDoS) vulnerabilities are considered less threatening, since they may not let the attacker run his own code on the compromised machine.
View: The full story News source: Computer World
Not really... there is no way Microsoft could possibly know all the exploits that may or may not be used by a hacker. Until the problem has been published and verified by Microsoft, they couldn't possibly know how to prevent the attack, much less prevent it in the future; if you don't know a problem exists, you'll continue using the methods you assume are working correctly.
Not really... there is no way Microsoft could possibly know all the exploits that may or may not be used by a hacker. Until the problem has been published and verified by Microsoft, they couldn't possibly know how to prevent the attack, much less prevent it in the future; if you don't know a problem exists, you'll continue using the methods you assume are working correctly.
I made no comment about Microsoft unable or needing to patch unknown holes. That would be ridiculous.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.