26 Windows, Office holes patched in 13 bulletins

Microsoft fixed 26 vulnerabilities in 13 security bulletins as part of its Patch Tuesday, including critical ones for Windows that could be exploited to take control of a computer and one that has resided in the 32-bit Windows kernel since its release 17 years ago. The top priorities for deployment are bulletins plugging holes in the SMB (Server Message Block) Protocol, Windows Shell Handler, ActiveX via Internet Explorer, DirectShow, and the 32-bit version of Windows, Jerry Bryant, a lead senior security communications manager at Microsoft, wrote in a blog post.The DirectShow bulletin should be at the top of the list, according to Bryant. It is critical for all supported versions of Windows except Itanium-based server products. To exploit the hole, an attacker could host a malicious AVI (Audio Video Interleave) file on a Web site, and lure a user to visit the site or send the file via e-mail so the user could open it.In the SMB bulletin, critical for all versions of Windows except Vista and Server 2008, an attacker would need to host a malicious server and convince a client system to connect to it, or an attacker could try to perform a man-in-the-middle attack by responding to SMB requests from clients, Bryant said.In the critical Windows Shell Handler vulnerability, which affects Windows 2000, XP, and Server 2003, an attack could come via a specially crafted link that appears to be valid to the ShellExecute API (application programming interface).

Leave a comment

Your email address will not be published. Required fields are marked *