Microsoft quashes 21 bugs, blocks drive-by attacks
Security updates patch half-dozen critical flaws in Windows, IE
Computerworld - Microsoft today issued nine security updates that patched 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net, Silverlight and SharePoint Server, including several critical bugs that can be exploited with drive-by attacks.
Four of the nine updates were labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the 21 total vulnerabilities, Microsoft classified six as critical, 14 as important and one as "moderate," a step below important on the company's four-step rating system.
MS12-010, which included fixes for four vulnerabilities in Ie, and MS12-013, a one-patch update to Windows Vista, Windows 7, Server 2008 and Server 2008 R2, were unanimously selected by both Microsoft and independent security researchers as the two to deploy immediately.
Those two should need no prompting to reach the top of the patch list, said Jason Miller, VMware's manager of research and development. "Browsers and media files are the most sought-after for attackers because the audience is the biggest user base they can hit," said Miller.
Three of the four bugs addressed by MS12-010 can be exploited with "drive-by" attacks, the term that describes exploits that only require an IE user to be drawn to a malicious website to trigger the vulnerability.
MS12-008 patches a critical flaw in Microsoft's C Run-Time Library, a dynamic link library (dll) that ships with most versions of Windows, and is used by both Microsoft and third-party developers.
"MS12-013 looks quite nasty and ominous," said Andrew Storms, director of security research at nCircle Security. "But the Security Research & Defense blog brought our feet back to the ground by describing that the only way to exploit [the vulnerability] is through Windows Media Player," added Storms.
Attackers must convince victims to either download and open a malformed Media Player file, or visit a malicious website that hosts such a file, said Microsoft in the blog Storms referenced.
Miller wasn't so sanguine about MS12-013, betting that the Media Player attack vector would attract hackers.
"All an attack requires is that the user open a media file, and we know how prevalent media is now," said Miller. "An email with a malicious link may not be very interesting, but if you tell [the recipient] there's a video of something cool, they're much more likely to continue."
Microsoft today also patched vulnerabilities in Visio, a relatively little-used member of the Office family; in a Windows kernel-mode driver; in SharePoint Server; in the .Net and Silverlight frameworks; and in other products in its portfolio.
February's nine security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts