Microsoft's Patch Tuesday brings FREAK fix for Windows users, and more

Microsoft bugsLast week it was revealed that all versions of Windows were vulnerable to the so-called FREAK vulnerability.

Today, in its regular Patch Tuesday round-up of security patches, Microsoft rolled out a fix for Windows users.

If you've been living under a rock for most of the month, you may have missed the hullabaloo over the FREAK vulnerability. FREAK (also known as the Factoring Attack on RSA-EXPORT Keys vulnerability or CVE-2015-0204) is the latest flaw to be found in SSL/TLS, and could allow unauthorised parties - such as malicious hackers or intelligence agencies - to spy upon your supposedly secure internet communications.

For more details of what the FREAK flaw was, how it came about, and how it could put you at risk, be sure to read the FREAK FAQ I put together.

Anyway, the good news is that March's Patch Tuesday bundle includes not just fixes for a number of critical security vulnerabilities that could be exploited in remote code execution attacks, but also a band-aid for the FREAK flaw.

Here is a breakdown of the security updates that Microsoft labelled as "Critical" in March's Patch Tuesday update:

MS15-018: Cumulative Security Update for Internet Explorer
Fixes a number of critical Internet Explorer vulnerabilities, in IE 6 and later, that could be exploited by a hacker to run malicious code on your computer when you visit a boobytrapped webpage. Amongst the flaws fixed is the so-called "Universal XSS" vulnerability that could be exploited by malicious hackers to launch convincing phishing attacks and inject malicious code into users’ browsers as they visit websites.

MS15-019: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
Security fixes for a vulnerability in the VBScript scripting engine in Microsoft Windows, which could have allowed malicious code to execute on users' computers if they visited a boobytrapped webpage.

MS15-020: Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution
Open a file, browse a folder containing a specially-crafted DLL file, or visit a boobytrapped webpage and BOOM! Your computer could now be running malicious code. A similar flaw was exploited by the notorious Stuxnet worm. This security update resolves this remote code execution vulnerability.

MS15-021: Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution
Wouldn't you like to think that a piece of code designed to handle fancy fonts wouldn't help attackers run code of their choosing on your computer, just by you viewing a boobytrapped file or webpage? Yeah, me too.

MS15-022: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
So, you run Microsoft Office. I'll wager, therefore, that sometimes you open Microsoft Office files (Word documents, Excel spreadsheets, Powerpoint presentations, that kind of thing). Microsoft has fixed a bunch of vulnerabilities, the most severe of which could allow remote code execution.

Of course, there was more fixed by Microsoft than just these critical flaws. To learn more and read gull details of the latest Patch Tuesday (which they would prefer us to call "Update Tuesday", but hey.. I'm a traditionalist) can be found in Microsoft's Security Bulletin Summary for March 2015.

Obviously it's a good idea to update your computer systems at your earliest convenience. And if it's not convenient, maybe you should make it convenient.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. Günter Born

    March 11, 2015 at 12:08 pm #

    Microsoft fixes FREAK vulnerability, but not on Windows 10 TP (see http://goo.gl/1pzss3)

Leave a Reply