Patch Tuesday Addresses Client-Side Vulnerabilities

April 09th, 2008 | Category: Technology News

Another month, another Patch Tuesday. For April, Microsoft has issued eight safety measure bulletins that address 10 vulnerabilities, five of them rated critical.

All the bulletins address client-side vulnerabilities, continuing a trend reported that week in Symantec’s Net shield Threat Report. The report found that in the second half of 2007, more than half of patched operating-system vulnerabilities were browser and client-side vulnerabilities.

Scripting Stands Out

While all of Tuesday’s safety measure bulletins are serious, the vulnerabilities in the VBScript and JScript engines stand out considering they ship on Windows by default and are tied to the operating system, according to Ben Greenbaum, senior research manager at Symantec safety measure Response.

“An attacker need only compromise and modify any Web page, which, when viewed by a user in a browser that uses these engines, will outcome in the execution of attacker-supplied cipher on the user’s computer,” Greenbaum said. “This attack requires no additional user action or intervention

to exploit.”

Microsoft actually reintroduced the VBScript and JScript fix that was pulled in February. Sheldon Malm, director of protection research and development for nCircle, a network-security firm that works with companies like Visa, US Cellular and Archer Daniels Midland, has been watching that one closely.

“We’ve been very concerned about that one. It’s another case where Web sites hosting third-party substance can be used in multi-staged attacks,” Malm said. “This is a particularly troubling trend for users considering trusted sites can be used in an attack without compromising the site itself. One common example of that in action would be serving malicious ads on an otherwise trusted Web site.”

Three Are Very Critical

Of the critical patches, Qualys suggests IT departments give three instant attention: MS08-021, MS08-022 and MS08-023. These three, relating to the Graphical Device Interface (GDI), ActiveX controls, and the Visual Basic (VBScript) and JavaScript (JScript) engines, contain…

Orginal post by Top Tech News

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists

Related Articles
  • June Patch Tuesday Addresses Bluetooth, Kill Bit
  • Patch Tuesday Includes Wireless Vulnerability
  • Patch Tuesday Vulnerabilities Include Two Key Servers
  • Patch Tuesday Fixes a Record 26 Vulnerabilities
  • VoIP protection Vulnerabilities Revealed

    • No comments yet. Be the first.

    Leave a reply