Microsoft quashes 21 bugs, blocks drive-by attacks

Security updates patch half-dozen critical flaws in Windows, IE

Microsoft today issued nine security updates that patched 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net, Silverlight and SharePoint Server, including several critical bugs that can be exploited with drive-by attacks.

Four of the nine updates were labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the 21 total vulnerabilities, Microsoft classified six as critical, 14 as important and one as "moderate," a step below important on the company's four-step rating system.

MS12-010, which included fixes for four vulnerabilities in Ie, and MS12-013, a one-patch update to Windows Vista, Windows 7, Server 2008 and Server 2008 R2, were unanimously selected by both Microsoft and independent security researchers as the two to deploy immediately.

Those two should need no prompting to reach the top of the patch list, said Jason Miller, VMware's manager of research and development. "Browsers and media files are the most sought-after for attackers because the audience is the biggest user base they can hit," said Miller.

Three of the four bugs addressed by MS12-010 can be exploited with "drive-by" attacks, the term that describes exploits that only require an IE user to be drawn to a malicious website to trigger the vulnerability.

MS12-008 patches a critical flaw in Microsoft's C Run-Time Library, a dynamic link library (dll) that ships with most versions of Windows, and is used by both Microsoft and third-party developers.

"MS12-013 looks quite nasty and ominous," said Andrew Storms, director of security research at nCircle Security. "But the Security Research & Defense blog brought our feet back to the ground by describing that the only way to exploit [the vulnerability] is through Windows Media Player," added Storms.

Attackers must convince victims to either download and open a malformed Media Player file, or visit a malicious website that hosts such a file, said Microsoft in the blog Storms referenced.

Miller wasn't so sanguine about MS12-013, betting that the Media Player attack vector would attract hackers.

"All an attack requires is that the user open a media file, and we know how prevalent media is now," said Miller. "An email with a malicious link may not be very interesting, but if you tell [the recipient] there's a video of something cool, they're much more likely to continue."

Microsoft today also patched vulnerabilities in Visio, a relatively little-used member of the Office family; in a Windows kernel-mode driver; in SharePoint Server; in the .Net and Silverlight frameworks; and in other products in its portfolio.

February's nine security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies