Microsoft released nine new security bulletins fixing 21 vulnerabilities in all supported versions of Internet Explorer and the Windows operating system, Microsoft Office and .NET/Silverlight in its February Patch Tuesday release.
Four of the nine bulletins were rated “critical” because the vulnerabilities could result in remote-code execution on the computer if exploited, according to Microsoft’s Patch Tuesday security advisory released Feb. 14. The critical bulletins affect all supported Windows platforms, from the outgoing Windows XP to the latest Windows 7. This presents adversaries with a “large attack surface,” said Don DeBolt, director of threat research at Total Defense.
The critical bulletin addressing four flaws in all versions of Internet Explorer (MS12-010) should be a top priority as attackers are increasingly relying on browser exploits to compromise users, security experts advised. These flaws can potentially be used in drive-by downloads.
Typically, we expect newer versions of IE to be a little safer but thats not the case this month,” said Andrew Storms, director of security operations at nCircle.
Even though the IE bulletin is rated critical, the bugs were not publicly disclosed previously and exploits haven’t appeared in the wild yet. However, attackers can move quickly with new exploits as soon as patches are available. Exploits targeting Windows Media appeared in the wild within two weeks after Microsoft released a patch fixing remote-code-execution vulnerabilities (MS12-004) during January’s Patch Tuesday release.
The Windows kernel (MS12-008) and the .NET/Silverlight (MS12-016) issues have both been publicly disclosed, but no active attacks have been observed in the wild yet. Considering that the kernel issue has been discussed fairly extensively online, it is likely that “something would have turned up by now” if it had been truly exploitable, said Kurt Baumgartner, a senior security researcher at Kaspersky Lab.
However, the .NET/Silverlight bug is applicable to both PCs and Macs as users browsing malicious Web pages can be hit by drive-by download attacks.
The vulnerabilities in Internet Explorer and .NET/Silverlight may result in mass exploitation using off-the-shelf toolkits such as Blackhole, said Baumgartner.
The Microsoft C Runtime flaw in Windows Media Player (MS12-013) is also dangerous as attackers could trick users into opening a maliciously crafted media file. However, the attack vector is very limited, as the flaw does not affect Visual Studio or other third-party applications that dynamically link to msvcrt.dll.
“The vulnerability is not as broad an attack surface as it first seems,” said Baumgartner.
Microsoft released two bulletins fixing the previously disclosed DLL-preload vulnerability this month. The vulnerability was originally disclosed in November 2010, and Microsoft has patched various affected Microsoft applications 22 times to date. “It is safe to say we will continue to see the DLL preload vulnerability being addressed by Microsoft in the coming months,” said Jason Miller, manager of research and development at VMware.
The DLL-preloading issue in the Color Control Panel (MS12-012) should probably have been rated as critical because there is a potential for remote-code execution, said DeBolt. Microsoft chose to rate it “important” because the remote attacker would be limited to having the permissions of the logged-in user. Since this vulnerability has already been publicly disclosed, it was likely that an exploit was already in the wild, said DeBolt.
Although Microsoft fixed 21 vulnerabilities in this release, some of the bulletins should be “less worrisome” for IT administrators, said Wolfgang Kandek, CTO of Qualys.
The Office bulletin (MS12-015) fixes an issue in Visio Viewer. Visio is not as widely deployed as other Office programs, so many IT administrators may not have to worry about the issue. The Visio vulnerability would likely be exploited in a spear-phishing attack, where users would be tricked into opening a maliciously crafted Visio file.