MS Office, Lync Vulnerabilities Can Be Exploited by Attackers to Control Infected Systems
MS Office, Lync Vulnerabilities Can Be Exploited by Attackers to Control Infected Systems by UCStrategies Staff
An advanced notification bulletin issued by Microsoft notifies users about vulnerabilities in Microsoft Office and UC platform Microsoft Lync. The vulnerabilities can be used by attackers to remotely execute commands and gain control of infected systems.
Fixes are issued by Microsoft today, May 14, 2013, and they are for vulnerabilities described as “important” but not “critical.”
A nakedsecurity blog post by security researcher Paul Ducklin discussed how Microsoft judges “important” and “critical” vulnerabilities. Ducklin wrote, “Microsoft's interpretation of important means that an exploit against the vulnerability is likely to be found, but you'll probably get some sort of warning, such as a pop-up dialog, if an attacker tries to use it. On the other hand, critical means not just that an exploit is likely (or already known), but that it can be used silently—what’s known as a drive-by install—without popups or any other kind of warning.”
Thirty-three vulnerabilities have been identified and fixed in 10 separate patches. These include security holes in .NET Framework, Microsoft Office, and Windows Essentials. Eight vulnerabilities have been deemed important by Microsoft, while two are rated critical. Some require a reboot of the system, while some may prompt a user to restart.
It can be remembered that, on May 8, 2013, Microsoft released an emergency patch to fix a critical vulnerability in Internet Explorer 8 (IE8). The IE security hole was aimed at U.S. government employees.
Tripwire’s director of security research and development, Lamar Bailey, emailed his comments to FierceEnterpriseCommunications and remarked that “most interesting patches for this month are the pair of IE bulletins that contain critical remote execution vulnerabilities that affect IE 6 through IE 10. These bulletins impact every current operating system version including XP.”
Meanwhile, Qualys, Inc. chief technology officer Wolfgang Kandek informed IT managers that their “focus points” for patching should be the remote execution holes. (KOM) Link.