Nine bulletins from Microsoft on Patch Tuesday, as Adobe fixes critical flaw in Shockwave
Microsoft released nine bulletins to cover 21 vulnerabilities on this month's Patch Tuesday.
As revealed by SC Magazine last week, four of the bulletins were rated as critical and covered 21 vulnerabilities in Windows, Office, Internet Explorer and .NET/Silverlight. According to Microsoft Trustworthy Computing spokesperson Angela Gunn, customers should plan to install all of these updates as soon as possible.
She recommended focusing first on two critical updates: MS12-010 and MS12-013. MS12-010 is an update for Internet Explorer and addresses two critical, one important and one moderate issue that affects all versions; the most severe could allow for remote code execution if an attacker were to convince a user to visit a maliciously constructed web page, but Microsoft said that it knew of no active exploitation in the wild.
MS12-013 fixes an issue that could arise if an attacker sent a malicious media file to a targeted user, or convinced the user to visit a web page hosting such a file.
Tyler Reguly, technical manager of security research and development at nCircle, said MS12-013 was the most interesting bulletin "as everyone is likely to see this critical vulnerability and freak out". “However, it's important to note that the attack vector is limited. It's not great news, but it does improve the situation,” he said.
Andrew Storms, director of security operations at nCircle, said: “IT security teams are not getting any candy hearts from Microsoft today; instead, every version of Internet Explorer gets an update. Typically, we expect newer versions of IE to be a little safer but that's not the case this month.
“We are also getting another ‘nasty gram' with MS12-013, a bug in the Microsoft C runtime library. At first glance, this bulletin looks like bad news, but so far the only attack vector is via Microsoft Media Player. Patch this one right after you patch Internet Explorer, attackers will probably have exploits for this very shortly.”
Wolfgang Kandek, CTO of Qualys, said: “Some of the nine bulletins should be less worrisome to IT admins: the Office vulnerability (MS12-015) is in the relatively rare Visio viewer program, MS12-011 is an XSS vulnerability in Sharepoint and MS12-014 and MS12-012 cover DLL preloading vulnerabilities, one in the now deprecated Indeo Codec and the other one in the Color Control Panel.
“MS12-016 should also be broadly considered. It applies to workstations, servers and even Macs; all instances of the .NET framework and Silverlight are vulnerable. Users browsing to malicious web pages can be affected and then allow remote code execution.
“Server administrators need to take a look: if their users are allowed to upload their own ASP.NET files to run on the machine and if the server runs under a fully trusted setting, the attacker could break out of the ASP.NET sandbox and take control of the server.”
Paul Henry, security and forensic analyst at Lumension, said: “All in all, it's a pretty sweet Valentine's Day. We've had two fairly light patching periods in a row, with just seven from Microsoft last month. Clearly, the company's renewed focus is paying off. Now if folks would just follow through and patch.
“The light patch load from Microsoft does not mean IT can sit back and relax, however. A significant patch update from Oracle came out recently and, as always, threats targeting Java must be addressed, as currently it is the most popular attack vector of the ‘bad guys'.”
Adobe also released a patch yesterday for a critical severity in Shockwave and an important severity in RoboHelp for Word. The Shockwave patch addresses critical vulnerabilities in Adobe Shockwave Player 188.8.131.523 and earlier versions on the Windows and Macintosh operating systems; Adobe claimed that these vulnerabilities could allow an attacker to run malicious code on the affected system.
The important patch in RoboHelp 9 (or 8) for Word on Windows covers a vulnerability whereby a specially crafted URL could be used to create a cross-site scripting attack on web-based output.