Stories
Slash Boxes
Comments

SoylentNews is people

It's 2014 and You Can Still Pwn a Box Using a Word File, a TTF Font, or Flash

posted by LaminatorX on Thursday October 16 2014, @06:32PM   Printer-friendly
from the separation-of-concerns dept.

gewg_ writes:

Shaun Nichols at El Reg notes the latest Patch Tuesday

Microsoft has today patched two dozen CVE-classified security vulnerabilities in its software. People are urged to install them as soon as possible.

The US giant said the October edition of Patch Tuesday includes three critical fixes to address flaws in Internet Explorer, the .NET Framework and Windows kernel-mode driver.
[...]
MS14-061 - An 'important' rated vulnerability (CVE-2014-4117) in Office that allows an attacker to use malicious Word files to achieve remote code execution at the level of the logged-in user. The flaw can be mitigated by limiting the access rights of user accounts. The flaw is also present in Office for Mac. The discovery is credited to 35 Labs via the HP Zero Day Initiative.
[...]
And Adobe's software is still riddled with holes.

Adobe, meanwhile, has released its own monthly patch update. That patch will include a fix for three remote-code execution flaws in Flash Player for Windows, OS X, and Linux. Adobe is also patching a trio of flaws in ColdFusion allowing elevation of privilege and security control bypass.

[Update 1]: Corrected title as these vulnerabilities are not restricted to Windows.

[Update 2]: There are also reports of remote code execution and privilege elevation vulnerabilities across Solaris, Linux and Windows, via Java and Oracle: http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847.

 
This discussion has been archived. No new comments can be posted.
It's 2014 and You Can Still Pwn a Box Using a Word File, a TTF Font, or Flash | Log In/Create an Account | Top | 35 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday October 16 2014, @09:36PM

    by Anonymous Coward on Thursday October 16 2014, @09:36PM (#106807)

    Then of course we have the BASH flaw that's been around for years and years

    ...which made headlines because it's such a *rare* event.

    Meanwhile, this month alone, M$ admits to TWENTY-FOUR flaws[1] for which they produced patches--3 of which it admits are critical.
    Now, how many exploits were written against each of those?
    How many Windoze boxes were exploited while folks waited for Patch Tuesday to roll around?
    Now, how many flaws does M$ -know- about but won't patch?

    Now, let's look back at the critical flaws M$ admits to for all of 2014. [google.com]

    Feel free at this point to mention all the critical flaws in competing ecosystems which made headlines because of their severity.
    (Now would be a good time to compare time-to-patch as well.)

    ...and, of course, media reaction to -actual- exploits against M$'s numerous flaws (even when they are widespread) is muted because those are not only common, they are EXPECTED.

    -- gewg_