Microsoft quashes 21 bugs, blocks drive-by attacks
Security updates patch half-dozen critical flaws in Windows, IE
Computerworld - Microsoft today issued nine security updates that patched 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net, Silverlight and SharePoint Server, including several critical bugs that can be exploited with drive-by attacks.
Four of the nine updates were labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the 21 total vulnerabilities, Microsoft classified six as critical, 14 as important and one as "moderate," a step below important on the company's four-step rating system.
MS12-010, which included fixes for four vulnerabilities in Ie, and MS12-013, a one-patch update to Windows Vista, Windows 7, Server 2008 and Server 2008 R2, were unanimously selected by both Microsoft and independent security researchers as the two to deploy immediately.
Those two should need no prompting to reach the top of the patch list, said Jason Miller, VMware's manager of research and development. "Browsers and media files are the most sought-after for attackers because the audience is the biggest user base they can hit," said Miller.
Three of the four bugs addressed by MS12-010 can be exploited with "drive-by" attacks, the term that describes exploits that only require an IE user to be drawn to a malicious website to trigger the vulnerability.
MS12-008 patches a critical flaw in Microsoft's C Run-Time Library, a dynamic link library (dll) that ships with most versions of Windows, and is used by both Microsoft and third-party developers.
"MS12-013 looks quite nasty and ominous," said Andrew Storms, director of security research at nCircle Security. "But the Security Research & Defense blog brought our feet back to the ground by describing that the only way to exploit [the vulnerability] is through Windows Media Player," added Storms.
Attackers must convince victims to either download and open a malformed Media Player file, or visit a malicious website that hosts such a file, said Microsoft in the blog Storms referenced.
Miller wasn't so sanguine about MS12-013, betting that the Media Player attack vector would attract hackers.
"All an attack requires is that the user open a media file, and we know how prevalent media is now," said Miller. "An email with a malicious link may not be very interesting, but if you tell [the recipient] there's a video of something cool, they're much more likely to continue."
Microsoft today also patched vulnerabilities in Visio, a relatively little-used member of the Office family; in a Windows kernel-mode driver; in SharePoint Server; in the .Net and Silverlight frameworks; and in other products in its portfolio.
February's nine security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!