Microsoft quashes 21 bugs, blocks drive-by attacks
Security updates patch half-dozen critical flaws in Windows, IE
Computerworld - Microsoft today issued nine security updates that patched 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net, Silverlight and SharePoint Server, including several critical bugs that can be exploited with drive-by attacks.
Four of the nine updates were labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the 21 total vulnerabilities, Microsoft classified six as critical, 14 as important and one as "moderate," a step below important on the company's four-step rating system.
MS12-010, which included fixes for four vulnerabilities in Ie, and MS12-013, a one-patch update to Windows Vista, Windows 7, Server 2008 and Server 2008 R2, were unanimously selected by both Microsoft and independent security researchers as the two to deploy immediately.
Those two should need no prompting to reach the top of the patch list, said Jason Miller, VMware's manager of research and development. "Browsers and media files are the most sought-after for attackers because the audience is the biggest user base they can hit," said Miller.
Three of the four bugs addressed by MS12-010 can be exploited with "drive-by" attacks, the term that describes exploits that only require an IE user to be drawn to a malicious website to trigger the vulnerability.
MS12-008 patches a critical flaw in Microsoft's C Run-Time Library, a dynamic link library (dll) that ships with most versions of Windows, and is used by both Microsoft and third-party developers.
"MS12-013 looks quite nasty and ominous," said Andrew Storms, director of security research at nCircle Security. "But the Security Research & Defense blog brought our feet back to the ground by describing that the only way to exploit [the vulnerability] is through Windows Media Player," added Storms.
Attackers must convince victims to either download and open a malformed Media Player file, or visit a malicious website that hosts such a file, said Microsoft in the blog Storms referenced.
Miller wasn't so sanguine about MS12-013, betting that the Media Player attack vector would attract hackers.
"All an attack requires is that the user open a media file, and we know how prevalent media is now," said Miller. "An email with a malicious link may not be very interesting, but if you tell [the recipient] there's a video of something cool, they're much more likely to continue."
Microsoft today also patched vulnerabilities in Visio, a relatively little-used member of the Office family; in a Windows kernel-mode driver; in SharePoint Server; in the .Net and Silverlight frameworks; and in other products in its portfolio.
February's nine security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts