Security

Get up, shake off the hangover: These 57 Microsoft holes won't fix themselves

This month's fat security Patch Tuesday has landed

John Leyden Wed 13 Feb 2013 // 11:44 UTC

A bumper Microsoft Patch Tuesday has rolled out 12 security bulletins that collectively address a hefty 57 vulnerabilities.

Five of these bulletins reveal critical holes in the software giant's products: one bulletin (MS13-009) covers 13 bugs found in Internet Explorer, while another (MS13-016) tackles a privilege-escalation flaw in win32k.sys, a core Windows kernel-mode component. One of the IE bugs can be exploited by an attacker to gain control of a user's machine via a drive-by download.

Another update (MS13-010) also patches Microsoft's web browser to squash a security bug in an ActiveX dynamic-link library. This update is, if anything, even more important because it addresses a vulnerability that's being actively exploited by miscreants.

The other critical updates cover Windows bugs, as explained in Microsoft's bulletin here.

In other patching news, Adobe followed up a Flash release last week that grappled with two 0-day vulnerabilities, with a new patch for its plugin. The update fixes 17 security flaws. Users of Internet Explorer 10 and Google Chrome should be patched automatically.

Commentary on both updates can be found in a blog post by Wolfgang Kandek, CTO of Qualys, here. ®

Similar topics

Broader topics

Narrower topics

Corrections Send us news

Other stories you might like

Running DOS on 64-bit Windows and Linux: Just because you can

DOS isn't dead. You can still run it and its apps, even now

Liam Proven in Prague Tue 28 Jun 2022 // 08:52 UTC

FOSS Fest There are still ways to run DOS apps under 64-bit Windows and Linux, and a lot of free apps to choose from.
One of the differences between the Microsoft and Apple approaches to maintaining widely used OSes is that Apple is quite aggressive about removing backwards compatibility, while Microsoft tries hard to keep it.
One of the few times Microsoft removed a whole compatibility layer from Windows was with the launch of 64-bit Windows, which went mainstream with Vista in 2007. 64-bit editions of Windows can't run 16-bit apps, whether they're for DOS or Windows.

Continue reading
China's blockchain boosters slam crypto as Ponzi scheme

Communists reckon Bill Gates and Warren Buffet got it right

Laura Dobberstein Tue 28 Jun 2022 // 08:02 UTC

Executives at China's Blockchain-based Service Network (BSN) – a state-backed initiative aimed at driving the commercial adoption of blockchain technology – labelled cryptocurrency "the biggest Ponzi scheme in human history" in state-sponsored media on Sunday.
"The author of this article believes that virtual currency is becoming the largest Ponzi scheme in human history, and in order to maintain this scam, the currency circle has tried to put on various cloaks for it," wrote Shan Zhiguang and He Yifan in the People's Daily.
He Yifan is the CEO of startup Red Date Technology – a founding member and architect behind BSN – where he serves as executive director. Co-author Zhiguang Shan is chair of the BSN Development Alliance.

Continue reading
Cisco compresses Catalyst switches to compact size

Fanless fun for the whole family (if the supply chain functions)

Simon Sharwood, APAC Editor Tue 28 Jun 2022 // 06:58 UTC

Cisco has shrunk its Catalyst 9200 switches into three compact models.
Switchzilla reckons they exercise the newfound freedom to undertake remote work by letting organizations squeeze a proper enterprise switch into a wider variety of smaller and more exotic places.
The smallest of the models measures 4.4cm x 26.9cm x 16.5cm, and the other two add a little depth to emerge at 4.4cm x 26.9cm x 24.4cm. All are fanless, leading Cisco to suggest you bolt them under desks, nail them to walls, or even slide one into a home office.

Continue reading

To Washington's relief, GlobalWafers to spend $5 billion on Texas plant

Cash had been burning a hole in company's pocket after deal to buy Siltronic fell through

Laura Dobberstein Tue 28 Jun 2022 // 05:45 UTC

Taiwan's GlobalWafers announced on Monday a new use for the $5 billion it first earmarked for a purchase of Germany's Siltronics: building a 300-millimeter semiconductor wafer plant in the US state of Texas.
Construction on the facility – which will eventually span 3.2 million square feet – is expected to commence later this year, with chip production commencing by 2025. The plant will sit in the city of Sherman, near the Texas-Oklahoma border, where it is slated to bring in 1,500 jobs as production climbs towards 1.2 million wafers per month.
GlobalWafers is the world's third largest producer of silicon wafers and Sherman is already home to its subsidiary, GlobiTech.

Continue reading
Tencent admits to poisoned QR code attack on QQ chat platform

Could it be Beijing was right about games being bad for China?

Simon Sharwood, APAC Editor Tue 28 Jun 2022 // 04:31 UTC

Chinese web giant Tencent has admitted to a significant account hijack attack on its QQ.com messaging and social media platform.
In a post to rival social media platform Sina Weibo – a rough analog of Twitter – Tencent apologized for the incident.
The problem manifested on Sunday night and saw an unnamed number of QQ users complain their credentials no longer allowed them access to their accounts. Tencent has characterized that issue as representing "stolen" accounts.

Continue reading
Carnival Cruises torpedoed by US states, agrees to pay $6m after waves of cyberattacks

Now those are some phishing boats

Jeff Burt Tue 28 Jun 2022 // 02:58 UTC

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.
A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.
It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

Continue reading

India extends deadline for compliance with infosec logging rules by 90 days

Helpfully announced extension on deadline day

Simon Sharwood, APAC Editor Tue 28 Jun 2022 // 02:02 UTC

India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.
The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.
The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

Continue reading
Hangouts hangs up: Google chat app shuts this year

How many messaging services does this web giant need? It's gotta be over 9,000

Katyanna Quach Tue 28 Jun 2022 // 00:22 UTC

Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.
Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail.

Continue reading
OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw

Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

Thomas Claburn in San Francisco Mon 27 Jun 2022 // 23:30 UTC

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

Continue reading
Not enough desks and parking spots, wobbly Wi-Fi: Welcome back to the office, Tesla staff

Don't worry, the tweetings will continue until morale improves

Katyanna Quach Mon 27 Jun 2022 // 22:10 UTC

Employees at Tesla suffered spotty Wi-Fi and struggled to find desks and parking spots when they were returned to work at the office following orders from CEO Elon Musk.
Most tech companies are either following a hybrid work model or are still operating fully remotely. Musk, however, wants his automaker's staff back at the office working for at least 40 hours a week. Those who fail to return risk losing their jobs, he warned in an internal email earlier this month.
"Everyone at Tesla is required to spend a minimum of 40 hours in the office per week. Moreover, the office must be where your actual colleagues are located, not some remote pseudo office. If you don't show up, we will assume you have resigned," he wrote.

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Security Scorecard

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information Cookies Privacy Ts&Cs