Microsoft repaired 23 vulnerabilities this month, fixing critical flaws in Internet Explorer, the Windows kernel and a serious error in the C runtime library that could be targeted by attackers using Windows Media Player.
The software giant released nine bulletins, including four “critical” bulletins as part of its
Bulletin MS12-010, which addresses four Internet Explorer vulnerabilities, was given a high priority by Microsoft and security-patching experts. The two most severe IE flaws could allow for remote code execution in Internet Explorer 7, 8 and 9.
“All of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild,” wrote Angela Gunn, senior response communications manager for Microsoft Trustworthy Computing in the MSRC blog. ”We recommend that customers read through the bulletin information concerning MS12-010 and apply it as soon as possible.”
The Internet Explorer patch should be made first priority because Web-based attacks are common and cybercriminals could easily set up a malicious webpage to target victims or capture them in drive-by attacks, said Wolfgang Kandek, CTO of Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc.
“The Internet Explorer [patch] is the most critical because there are so many attacks against browsers in general. Anything that happens on the browser needs to be high on the list,” Kandek said.
Microsoft recommends customers who have not enabled automatic updating should manually install the patch immediately. Enterprises with automatic update enabled don’t need to take action.
MS12-013, which addresses a buffer overflow vulnerability in the C runtime library, should also receive immediate attention, according to Microsoft. The vulnerability could be exploited remotely in Windows 7 and Vista. It can only be accessed through one attack vector: Windows Media Player. An attacker must trick a person into opening a malicious media file on a website or in an email attachment.
Microsoft also addressed two critical kernel-level vulnerabilities in MS12-008 that could be targeted by attackers by tricking users into visiting a malicious website through an email or instant message. The flaw affects users of Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008. If successfully exploited, both errors could enable an attacker to run code in kernel-mode and install additional malware.
In addition, Microsoft issued MS12-016, which addresses two critical vulnerabilities in Microsoft .NET Framework and Silverlight, and should be considered high priority for users of those applications, whether running them on a Mac or PC. Corporations should be mindful that one of the vulnerabilities affects work stations, and the other can affect servers, according to Qualys’ Kandek.
An attacker who successfully exploits the coding errors can gain complete control of the machine or server and install additional malware, change or delete data and create new accounts with full user rights, according to Microsoft. The patch addresses the problem by “correcting the manner in which Microsoft .NET Framework and Microsoft Silverlight use unmanaged objects,” Microsoft said.
Other bulletins address three flaws in Microsoft SharePoint, a flaw in the Color Control Panel in Windows and five flaws in Microsoft Office that could be targeted using a malicious Visio file. The bulletins are rated “important,” but could potentially allow elevation of privilege and remote code execution.