Microsoft released seven security bulletins March 12 as part of its Patch Tuesday update, including a critical fix for Internet Explorer (IE).
Four of the bulletins were rated “critical,” while the other three were ranked as “important.” All totaled, 20 vulnerabilities were fixed across Microsoft Windows, IE, Office, Server Tools and Silverlight.
The IE bulletin solves nine security bugs in the browser, the most severe of which could enable attackers to remotely execute code if a user views a specially crafted Web page. All but one of these vulnerabilities was disclosed privately, and Microsoft said it has yet to detect any attacks exploiting the bugs, all of which are use-after-free vulnerabilities. Not included in the fixes is a patch for any IE vulnerabilities exploited in the recent Pwn2Own contest at CanSecWest. These holes are still being investigated, Microsoft told eWEEK.
“Use-after-free has been pretty popular over the last few month, and we suspect we will see more of these in the near future,” noted Ziv Mador, director of security research at Trustwave. “If a user views a specially crafted Web page, it could result in remote code execution.”
Despite public disclosure of one of these CVEs, they haven’t been known to be exploited in the wild yet, he said. “However, Microsoft does expect to see exploit code for some or all of these in the near future,” said Mador.
The other critical bulletins affect Microsoft Server Tools, Office and Silverlight. However, tucked in among the bulletins ranked “important” was an issue affecting the Kernel-Mode Drivers that would allow an attacker to hijack a machine by inserting a malicious USB device.
“While this isn’t the first issue to leverage physical access and USB devices, it is different in that it doesn’t require a machine to be logged on,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “It also provides kernel-level code execution where previous attacks only allowed code execution at the logged-on level. Because of this, someone with casual physical access, such as a custodian sweeping your office at night or a security guard making his rounds, could simply plug in a USB device to perform any action as an administrator.
“This is much different than unrestricted physical access, where that same person would have to steal your machine, boot it using removable media and decrypt files on the hard drive,” Childs continued. “While it may be tempting to dismiss this sort of issue since it requires physical access, again, we want to do what is best for the customer. Casual physical access combined with kernel-mode code execution represent a significant enough threat that we released an update to address this issue.”
Based on Microsoft’s published severity rating system, the USB bug is correctly rated, said Andrew Storms, director of security operations at nCircle.
“That said, it’s always up to individual organizations to review patches and assign their own priority levels based on the unique security needs of their particular businesses,” Storms said. “The Microsoft security research and defense team put the patch third on their priority list, and that’s probably accurate for most organizations. Companies that have a lot of kiosks or other easy-to-access computers should probably prioritize it higher. They’ll need to evaluate the feasibility of disabling USB ports to mitigate this risk until the patch can be deployed.”
Also on March 12, Adobe Systems issued a patch for a handful of vulnerabilities in Adobe Flash Player. None of the vulnerabilities are known to be under attack in the wild, according to the company.