Microsoft Patch Tuesday: The Ping of Death returns, IPv6-style

This month's round of Microsoft patches address must-fix vulnerabilities in Internet Explorer and Microsoft Mail

Internet Explorer proved to be the biggest security concern for Microsoft in the last month, with the browser spurring 11 of the 19 critical vulnerabilities the company issued in August's "Patch Tuesday" set of software fixes.

Such a sizable group of critical patches once again underscores the need for users and organizations to update their copies of Internet Explorer. Their reluctance to upgrade has been a source of ongoing frustration for security professionals, who repeatedly warn of the dangers of unpatched browsers and remind everyone how easy it is to actually update.

With this month's fixes, Microsoft also learned about the precarities of relying on third-party software and witnessed the return of the once menacing Ping of Death, which this time could pester IPv6 networks.

Overall, Microsoft released eight bulletins on Tuesday. Three of these bulletins were marked as critical, with the remainder categorized as important.

Security researchers are advising system administrators to apply the patches for Internet Explorer first, because of how easy it would be for attackers to exploit these previously undisclosed vulnerabilities.

"Every Internet Explorer is affected," said Wolfgang Kandek, chief technology officer of security and compliance software provider Qualys.

With these vulnerabilities still in the browser, an attacker could plant malicious code on a Web site that could read data or make changes on users' computers.

Users' reluctance to update their browsers is baffling for security experts, given that "Internet Explorer is relatively easy to patch." Kandek said. "To go a new version shouldn't really break anything within your organization, (even) if you do that very aggressively and without much testing."

"If you experience breakage, you have a real security problem on your hands," Kandek said. In this case, "the solution would be to isolate the applications that you use with the old browsers onto machines you only use for that [task]. You should not use unpatched browsers to surf the Web," Kandek said.

The second critical bulletin addressed three remote execution vulnerabilities in Windows Exchange Server, which would be of interest to organizations whose employees are using the Web version of the Microsoft Outlook mail client.

These vulnerabilities don't actually reside in Microsoft software but rather with the software that Oracle had developed to render documents, called OutsideIn.

Microsoft uses the software to render files, such as PDF files, so they appear in the browser Outlook Web Access client. Viewing an attachment with an embedded malicious code could compromise the server. Oracle patched the software in April and then again in July, and now Microsoft is passing along the updated version to its users.

"The server side process, which generates the Web page, could get compromised and let an attacker control an Exchange server," said Amol Sarwate, the director of Qualys Vulnerability Labs.

This bulletins serve as a reminder for Microsoft and other software vendors that rely on third-party libraries or programs that "vulnerabilities can bubble up through the supply chain," Kandek said.

These patches would apply to all supported versions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013.

The third critical bulletin only applies to Windows XP and Windows Server 2013, and involves exploiting a hole in Microsoft's OpenType fonts. It may be one of the last vulnerabilities Microsoft will fix for the aging OS.

Microsoft will discontinue support for Windows XP next year, which means that if new vulnerabilities are found, Microsoft will not fix them, aside from customers who pay the company considerable sums for continued support.

As a result, Windows XP "will very quickly become quite an easy target for attackers," Kandek said. He noted that 10 percent of the companies that Qualys consults with still run Windows XP. "Nobody should use XP anymore after its expiration date."

This month's set of patches dredges up another specter from the past: the dreaded Ping of Death, which was exploited in late 1990s for denial of service (DoS) attacks. It worked by sending a gargantuan ping request that would crash the computer attempting to assemble the message from multiple data packets.

Although the holes that led to Pings of Death have been fixed on OS software, this particular vulnerability works in a similar way, by taking advantage of a flaw found in the IPv6 implementation of underlying protocol for Ping, ICMP (the Internet Control Message Protocol).

Microsoft labeled this vulnerability as important, perhaps due to the limited number of IPv6 networks currently running. But it is a good reminder that many security issues previously thought solved may come up again as organizations move to IPv6.

"It allows a remote unauthenticated attacker to send a few ICMP packets that would cause the machine to crash," Sarwate said. "It illustrates how much we still have to learn about IPv6."

If a company has no immediate plans to move to IPv6, its administrators should disable any IPv6 features in the new software so they can't cause any harm from defects such as this one.

"If you disable it, you don't run into these problems," Kandek said. "If you don't use a certain piece of software, then is nothing better than uninstalling it, in terms of security."

Since the start of the year, Microsoft has issued 65 patches, seven more than at the same time last year. The company seems to be making headway toward addressing the most serious vulnerabilities, however. Thus far, Microsoft has issued 25 critical patches, 10 less than at the same time last year, though 40 patches this year have been important, compared to 35 last year, according to a count from security research firm Lumension.

Microsoft will hold a webcast to explain these issues in more detail on Wednesday.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecuritypatch managementExploits / vulnerabilitiesmalware

More about IDGLumensionMicrosoftOracleQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts