Microsoft Security Updates Patch IE, Windows, Office Dangers

Security experts take particular note of patched vulnerabilities in Internet Explorer and Windows Common Controls.

Microsoft as part of its Patch Tuesday effort released six security bulletins that address 11 vulnerabilities, including one that the software giant said already is being used in the wild.

Four of the six bulletins are listed as €œcritical,€ while two more are listed as €œimportant,€ and cover a wide range of Microsoft applications, from Windows and Internet Explorer (IE) to Office, SQL Server and Developer Tools.

Security experts said users should take note of the number of Microsoft software products involved as well as the number of bulletins listed as critical.

"The specific threats covered in all 4 'Critical' bulletins carry a potential impact of remote code execution€ Jim Walter, manager of the McAfee Threat Intelligence Service for McAfee Labs, said in an email sent to journalists. €œAdd to this that so many popular products are among the affected, including Internet Explorer, Office, SQL Server, and the potential danger is increasingly apparent. IT administrators should take this into account when prioritizing patches.€

Kurt Baumgartner, a security expert with Kaspersky Lab, said in an April 10 post on the company€™s SecureList blog that all the Microsoft bulletins are important, but pointed at the ones that should be patched immediately. One of those is dubbed MS 12-027, which Microsoft officials reportedly said is being used in €œlimited, targeted attacks.€ The vulnerability is in Windows Common Controls, and cyber-criminals can use remote code execution attacks that are launched if a user goes to a malicious Website.

According to the Microsoft bulletin, an attacker would have to find a way to convince a user to visit the site, and normally would use an email or instant messaging (IM) text to get them to go to the malicious site.

Baumgartner also pointed to another bulletin, MS 12-023, which patches five IE vulnerabilities that, like the previous one, would lead to a remote code execution attack. According to Microsoft, the €œmost severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.€

Baumgartner said such remote code execution attacks impact consumers and businesses alike.

€œRCE attacks abusing these six IE and ActiveX vulnerabilities would look like Web browser redirections to malicious sites hosting Web pages attacking Internet Explorer and emails carrying malicious attachments constructed to appear familiar to the targeted victim,€ he wrote. €œThese are currently significant vectors of attack for both consumer/home and corporate Microsoft product users.€

Marcus Carey, a security researcher at security software maker Rapid7, agreed that the vulnerabilities found in IE should be fixed quickly.

€œThis should be the top priority for organizations as users could be compromised by drive-by exploits from Web pages with specially crafted malicious content,€ Carey said in an email sent to journalists. He also noted the dangers in the vulnerabilities around Windows Common Controls. €œAn attack would be able to remotely execute code by having a victim open a malicious file or go to a malicious Website. This is a basic data-handling vulnerability at the core of Microsoft applications.€

One of the vulnerabilities that Microsoft listed as important could have been upgraded, he said. It€™s another vulnerability€”listed in MS 12-028€”that could result in a remote code execution in Microsoft Office and Works if the user opens a €œspecially crafted Works file,€ according to Microsoft. A successful attacker could gain the same rights as the user.

€œThis one could easily be disputed and ranked as critical by many,€ Carey said. €œThe only thing it's missing is automatic administrative privileges. The attacker is limited to the permissions of the user that opens up a malicious document.€