Microsoft is expected to show some love for Windows administrators on Valentine's Day, with nine patches fixing 21 vulnerabilities in February's Patch Tuesday release.
Microsoft released nine new
security bulletins fixing 21 vulnerabilities in all supported versions of
Internet Explorer and the Windows operating system, Microsoft Office and
.NET/Silverlight in its February Patch Tuesday release.
Four of the nine bulletins
were rated "critical" because the vulnerabilities could result in
remote-code execution on the computer if exploited, according to Microsoft's
Patch Tuesday security advisory released Feb. 14. The critical bulletins affect
all supported Windows platforms, from the outgoing Windows XP to the latest
Windows 7. This presents adversaries with a "large attack surface,"
said Don DeBolt, director of threat research at Total Defense.
The critical bulletin
addressing four flaws in all versions of Internet Explorer (MS12-010) should be
a top priority as attackers are increasingly relying on browser exploits to
compromise users, security experts advised. These flaws can potentially be used
in drive-by downloads.
Typically, we expect newer
versions of IE to be a little safer but thats not the case this month,"
said Andrew Storms, director of security operations at nCircle.
Even though the IE bulletin
is rated critical, the bugs were not publicly disclosed previously and exploits
haven't appeared in the wild yet. However, attackers can move quickly with new
exploits as soon as patches are available. Exploits targeting Windows Media
appeared in the wild within two weeks after Microsoft released a patch fixing
remote-code-execution vulnerabilities (MS12-004) during January's Patch Tuesday
The Windows kernel
(MS12-008) and the .NET/Silverlight (MS12-016) issues have both been publicly
disclosed, but no active attacks have been observed in the wild yet.
Considering that the kernel issue has been discussed fairly extensively online,
it is likely that "something would have turned up by now" if it had
been truly exploitable, said Kurt Baumgartner, a senior security researcher at
.NET/Silverlight bug is applicable to both PCs and Macs as users browsing
malicious Web pages can be hit by drive-by download attacks.
The vulnerabilities in
Internet Explorer and .NET/Silverlight may result in mass exploitation using
off-the-shelf toolkits such as Blackhole, said Baumgartner.
The Microsoft C Runtime flaw
in Windows Media Player (MS12-013) is also dangerous as attackers could trick
users into opening a maliciously crafted media file. However, the attack vector
is very limited, as the flaw does not affect Visual Studio or other third-party
applications that dynamically link to msvcrt.dll.
"The vulnerability is
not as broad an attack surface as it first seems," said Baumgartner.
Microsoft released two
bulletins fixing the previously disclosed DLL-preload vulnerability this month.
The vulnerability was originally disclosed in November 2010, and Microsoft has
patched various affected Microsoft applications 22 times to date. "It is
safe to say we will continue to see the DLL preload vulnerability being
addressed by Microsoft in the coming months," said Jason Miller, manager
of research and development at VMware.
The DLL-preloading issue in
the Color Control Panel (MS12-012) should probably have been rated as critical
because there is a potential for remote-code execution, said DeBolt. Microsoft
chose to rate it "important" because the remote attacker would be
limited to having the permissions of the logged-in user. Since this
vulnerability has already been publicly disclosed, it was likely that an
exploit was already in the wild, said DeBolt.
Although Microsoft fixed 21
vulnerabilities in this release, some of the bulletins should be "less
worrisome" for IT administrators, said Wolfgang Kandek, CTO of Qualys.
The Office bulletin
(MS12-015) fixes an issue in Visio Viewer. Visio is not as widely deployed as
other Office programs, so many IT administrators may not have to worry about
the issue. The Visio vulnerability would likely be exploited in a spear-phishing
attack, where users would be tricked into opening a maliciously crafted Visio file.