Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.
On this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.
Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.
One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day.
Two other patches address security issues that have received a great deal of media attention of late: The Superfish malware and the FREAK SSL vulnerability. Freak is a flaw that allows an attacker who controls the local network to downgrade your computer’s encrypted communications to a much weaker (and crackable) level of security — potentially allowing attackers to eavesdrop on your browsing and modify or redirect your communications.
As security expert and cryptologist Matthew Green noted, the FREAK vulnerability is thought to stem from efforts by the National Security Agency to weaken encryption technology allowed to be shipped overseas. Ironically, several researchers have shown how the NSA’s own Web site was made vulnerable by this flaw; check out SmackTLS.com for more on that.
Microsoft also blogged that on Feb. 19 it released an update to its Malicious Software Removal Tool which searches for and removes Superfish, an adware program that was recently discovered to have factory-shipped with many consumer PCs made by Lenovo. Superfish also has been shown to undermine the SSL encryption on systems with the invasive program installed, as demonstrated by researcher Robert Graham in this post. Lenovo has said it is no longer shipping Superfish with PCs, and has released a tool to help remove the program.
For the first time in a while, there are no fixes from Adobe on Patch Tuesday, although one of the critical patches Microsoft released today addresses a dangerous bug in the Adobe Font Driver on most versions of Windows. For more on today’s Microsoft updates, check out the roundups published by Qualys and Shavlik. Links to the individual bulletins released today are here.