Hacker News: Microsoft Finally Releases Security Patches For Publicly-Disclosed Critical Flaws


After last month’s postponement, Microsoft’s Patch Tuesday is back with a massive release of fixes that includes patches for security vulnerabilities in Windows and associated software disclosed and exploited since January’s patch release.

Meanwhile, Adobe has also pushed out security updates for its products, releasing patches for at least seven security vulnerabilities in its Flash Player software.

Microsoft patched a total of 140 separate security vulnerabilities across 18 security bulletins, nine of them critical as they allow remote code execution on the affected computer.

Microsoft Finally Patches Publicly Disclosed Windows Flaws

Among the “critical” security updates include a flaw in the SMB (server message block) network file sharing protocol, which had publicly disclosed exploit code since last month. The original patch released last year for this flaw was incomplete.

The flaw is a memory corruption issue that could allow remote code execution (RCE) of a malicious code if an attacker sends specially crafted messages to a Microsoft SMBv1 server.

All versions of Microsoft Windows are affected by this issue that could allow a remote, unauthenticated attacker to crash systems with denial of service attack.

Microsoft admitted: “Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.”

Microsoft patched the vulnerability but did not credit Laurent Gaffié, who found the flaw last year and released the exploit code in February.

Microsoft Also Patches Flaws Uncovered By Google

Another critical patch (MS17-013) contains a dozen of serious flaws in Windows’ Graphics Component GDI Library used in Office, Skype, Lync, and Silverlight.

The flaws reside in the way Windows handles certain image files. Hackers can exploit the weaknesses to achieve remote code execution on your system by making you visit a booby-trapped website or open a malware-ridden document. No further user interaction is needed.

Google’s Project Zero also disclosed this flaw with proof-of-concept exploit late last month before Microsoft had fixed it.

All supported releases of Microsoft Windows back to Windows Vista are vulnerable to this flaw. The tech giant originally patched this issue in June last year, but the patch was incomplete.

Microsoft also patched seven other critical flaws, including two cumulative updates for Internet Explorer and its Edge browser, and nine important ones.

In late last month, Google’s Project Zero research team publicly disclosed details and proof-of-concept exploit for a code execution flaw in Microsoft’s Internet Explorer and Edge browsers that could allow attackers to cause a crash of the browsers.

Meanwhile, Adobe also released patches for its Flash Player software for Windows, Macintosh, Linux and Chrome OS.

Users are advised to apply Windows as well as Adobe patches to keep away hackers and cybercriminals from taking control over your computer.

Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

♥Thanks for sharing♥

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s