Today, Microsoft issued three new security advisories and a dozen new patches in the company’s monthly round of security updates. And one of the advisories was apparently the result of a security fumble by Microsoft’s internal IT team: the inadvertent disclosure of the private encryption keys for a wildcard SSL/TLS certificate.
The certificate, which was used for Microsoft’s xboxlive.com domain, has been revoked on Microsoft’s Certificate Trust list, but it could potentially be used to attack systems that haven’t been updated in man-in-the-middle attacks that “spoof” the Xbox Live network. Microsoft isn’t saying how the certificate was “inadvertently disclosed,” but it’s likely that the “wildcard” certificate was accidentally shared with a partner. It’s unlikely that the certificate will be used for an attack now that it’s been revoked, but systems that don’t regularly get their certificate trust lists updated might still be vulnerable.
System administrators have a bigger headache to deal with: an update issued today for Microsoft Windows DNS that patches a remote code execution vulnerability. Rated “critical” by Microsoft, the bug in DNS affects Windows Server 2008 and later. It could allow an attacker to send a “specially-crafted” Domain Name Service request to a Windows DNS server that can run commands on the server with the permissions of the Local System account—giving the attackers a wide range of access to the server that could easily be escalated.
The DNS fix is one of eight critical fixes in this “Patch Tuesday” drop, including huge roll-up patches for Internet Explorer, Edge, Jscript, and VBScript—all of which fix holes that could potentially be used for remote code execution by malicious websites. There’s also a remote code execution fix for a graphics component used by Skype, Lync, Office, Silverlight, Windows itself and the .NET framework that could be exploited by a malicious document or Web page, and a totally separate remote execution bug in Silverlight and Office themselves. And there’s a patch for the Uniscribe text API that fixes a vulnerability that would allow malicious fonts to execute code.
SOURCE: Sean Gallagher | Ars Technica