New Delhi: Microsoft has finally fixed a five-year-old Stuxnet bug and the recently revealed Freak vulnerability that exposed Apple and Android browsers, and some Windows PCs to hack attacks.
On Patch Tuesday, the company rolled out patches for varied issues along with releasing an advisory announcing that SHA-2 code signing support has been added to Windows 7 and Windows Server 2008 R2. Microsoft said that later versions of Windows desktop and server OSes already include support for SHA-2 signing and verification.
Of the 14 patches released by Microsoft, the highest profile is the one which resolves some issues left behind by the original Stuxnet patch released in August 2010. It fixes vulnerabilities including how Windows handles loading of DLL files and how Windows Text Services improperly handles objects in memory, a report on Threatpost explained.
The DLL vulnerability was used by Stuxnet to attack the Iranian nuclear program in 2009. If a user viewed a folder or directory storing a malicious .LNK file, the exploit would allow the attacker to run code of their choice remotely.
The patch for the recently exposed Freak vulnerability addresses the security feature bypass vulnerability in Schannel, the Windows implementation of SSL/TLS, that enables Freak attacks. Freak forces systems to downgrade the key length of an RSA key to a crackable 512 bits, enabling a man-in-the-middle attack putting supposedly encrypted traffic at risk.
The company said that the security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems.
Microsoft has also released patches for a vulnerability in Windows Netlogon by modifying the way it handles secure channels; eight vulnerabilities in the Adobe Front Driver; critical remote code execution bug in Office and Windows VBScript scripting engine; and an important fix to the Internet Explorer vulnerability that led to memory corruption and elevation of privileges vulnerabilities in the browser.
Comments
0 comment