Microsoft have reported a vulnerability that needs urgent attention and should be patched immediately.
This update uses a vulnerability that could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.
This means that should you visit a webpage that has been compromised in this manner then you’ll get compromised also and your data and security is in danger.
We recommend that you patch your machines instantly with the latest critical update to protect against this.
It’s that time again, and Microsoft have really gone to town this week with ‘9 security bulletins to patch 56 unique vulnerabilities’in Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level access to the targeted machine of device.
Additionally, it has been reported that KB3001652 has had issues for some users due to a perceived bug – causing system lock-ups during install. This has now been removed from the update.
More info on the root-level bug here.
Seems that Microsoft isn’t happy with Google’s Security Team, Project-Zero announcing the presence of so-called ‘0-day’ vulnerabilities that it discovers in the wild.
This week, however, Microsoft Security Response Center Senior Director Chris Betz noted in a blog post that his team does not take that stance that full, public disclosure is not needed to push software vendors to fix vulnerabilities and help customers protect themselves. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix’ before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack.”,
With many resources available on the internet already offering full-disclosure of 0-day vulnerabilities, is this just Microsoft posturing against Google? or do they have a point? Should notification of 0-day vulnerabilities be provided behind closed-doors rather than for public dissemination?