SoylentNews is people
SoylentNews
Shaun Nichols at El Reg notes the latest Patch Tuesday
Microsoft has today patched two dozen CVE-classified security vulnerabilities in its software. People are urged to install them as soon as possible.
The US giant said the October edition of Patch Tuesday includes three critical fixes to address flaws in Internet Explorer, the .NET Framework and Windows kernel-mode driver.
[...]
MS14-061 - An 'important' rated vulnerability (CVE-2014-4117) in Office that allows an attacker to use malicious Word files to achieve remote code execution at the level of the logged-in user. The flaw can be mitigated by limiting the access rights of user accounts. The flaw is also present in Office for Mac. The discovery is credited to 35 Labs via the HP Zero Day Initiative.
[...]
And Adobe's software is still riddled with holes.
Adobe, meanwhile, has released its own monthly patch update. That patch will include a fix for three remote-code execution flaws in Flash Player for Windows, OS X, and Linux. Adobe is also patching a trio of flaws in ColdFusion allowing elevation of privilege and security control bypass.
[Update 1]: Corrected title as these vulnerabilities are not restricted to Windows.
[Update 2]: There are also reports of remote code execution and privilege elevation vulnerabilities across Solaris, Linux and Windows, via Java and Oracle: http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847.
(Score: 4, Informative) by MrGuy on Thursday October 16 2014, @07:34PM
TFH is misleading.
Yes, the first flaw describes is in a Microsoft product. But it is NOT limited to Windows machines.
The second flaw is NOT in a Microsoft product, and is ALSO not limited to Windows.
It's 2014, and you can still own a computer REGARDLESS of the OS with a Word file. The two exploits in TFS aren't about Windows - they're cross-OS issues, one of which is in a non-Windows Microsoft product (Word) and the other of which is in a non-MS product (Flash).
(Score: 2) by choose another one on Thursday October 16 2014, @08:08PM
Seconded, posting to add that of course, as usual/always you can also own various boxes via Java and Oracle:
http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847 [threatpost.com]
Yep, remote code execution and privilege elevation, across Solaris, Linux and Windows.
"Microsoft Windows Security - never quite as bad as Oracle and Adobe".
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @09:40PM
That's only because they don't write as much stuff that runs on Solaris and Linux ;).
(Score: 2) by mcgrew on Friday October 17 2014, @04:07PM
Yes, the first flaw describes is in a Microsoft product. But it is NOT limited to Windows machines
Microsoft doesn't make the machines, they make the software. If you're running MS Office on your Mac, you're running Microsoft software.
It isn't OS specific, true, but it is vendor specific; Microsoft, Oracle, Adobe. The only affected software I run is Flash, and only allow it on a few sites. I write PDFs with Open Office and read them with FireFox.
I do wish there was a decent open source spreadsheet, Open Office Calc is a pile of effluent. Glad I seldom need a spreadsheet.
Carbon, The only element in the known universe to ever gain sentience