Microsoft (and Adobe for that matter) released a slew of security updates in the May 2013 edition of their monthly patch Tuesday release. As always, if your machine isn’t set to automatically install these upgrades, then make sure you agree to install them when prompted to do so by Microsoft (or Adobe).
I don’t want to beat the dead horse too relentlessly here, but there is literally no good reason not to install security updates. Not one. You don’t have to do anything but click ‘yes,’ or, in most cases, wait a few extra minutes while your machine boots up and installs them automatically. In fact, just now, as I was writing this up, Adobe informed that it successfully updated. I didn’t even know it was installing anything. That’s how easy it was.
Ease aside, not installing security upgrades is like not getting a flu shot: it puts everyone else at higher risk of getting infected, because when you shirk on your updates, you’re contributing to the increasingly voluminous pool of easily exploitable machines. Furthermore, the problem is one of those pesky, self-perpetuation ones. As more machines are compromised, the cybercriminals have more computing power, potential account access for phishing attacks, and other resources that they can use to compromise more and more machines.
And these updates aren’t just willy-nilly, intangible things that no one understands. Criminals exploited one of the now-patched Internet Explorer vulnerabilities used in watering hole attacks targeting the United States Department of Labor. The DoL attack is widely believed to have been a stepping stone in a broader campaign targeting nuclear weapons program researcher at the Department of Energy. In the days that followed, the same vulnerability was exploited in Cambodian watering hole attacks on the US Agency for International Development (USAID).
Water holing or watering hole attacks are a technique whereby attackers compromise a website that they believe their real target will visit. So, in these cases, attackers infected a DoL website to snare DoE and other valuable government employees and it was also used to phish USAID workers in Cambodia.
Perhaps more alarmingly yet, Adobe patched a vulnerability in its ColdFusion application development platform that attackers had already exploited to compromise servers belonging to the Washington State court system, exposing an astounding 160,000 social security numbers as well as the driver’s license numbers and names of more than a million people.
As noted by Kaspersky Lab expert and friend of the blog, Kurt Baumgartner, Microsoft also supplied fixes for a few “less sexy” but no less important escalation of privilege vulnerabilities. EoPs, as they’re called, are often used after a compromise so that attackers can gain full user rights of infected machines. Of course, once an attacker has full user rights, he or she can do whatever nefarious thing he or she wants.