Microsoft's 16 patches include one for "cookiejacking"
Microsoft is prepping a large security update for Tuesday, with plans to deliver 16 patches to fix 34 vulnerabilities across its product line.
The patches will mend issues in Windows, Office, Internet Explorer, .NET Framework, SQL Server, Visual Studios, Silverlight and ISA Server, Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, said in a company blog post.
Nine of the bulletins are rated "critical," while the remaining seven carry an "important" designation. The update touches all versions of Windows, Excel and Internet Explorer. Among the more notable fixes are two patches for Internet Explorer. One will address an issue known as "cookiejacking," which involves an attacker accessing a file stored inside a browser -- the cookie -- to steal access credentials.
Late last month, Italian security researcher Rosario Valotta disclosed the vulnerability, stating that it could be used to steal usernames and passwords used to login to popular sites such as Facebook and Twitter. For users to be exploited, they must be tricked into dragging an object across their screen and dropping it into an "attacker controlled HTML element," a type of clickjacking tactic sometimes employed by hackers.
L33tdawg: Rosario's presentation slides (PDF) from HITB2011AMS
