Microsoft to patch three critical vulnerabilities on Patch Tuesday
As usual, Microsoft didn't reveal details of the patches in its advance notification, so precise information about the nature of the fixes, other than their severity and the products they impact, is not yet available.
For instance, Microsoft revealed "no details, aside from remote code execution," on the critical flaw that affects Windows' Bluetooth capabilities, Eric Schultze, chief technology officer at Shavlik Technologies told SCMagazineUS.com.
The impact of this bug is somewhat mitigated because Bluetooth is not enabled by default, Schultze said.
"The flaw could possibly be a Bluetooth stack driver issue, which might allow for RCE (remote code execution) by exploiting the driver," said Andre Protas, director of research and preview services at eEye Digital Security. "The attack vector isn't confirmed, but it might be interesting to see someone exploit Windows by physical proximity over Bluetooth."
The second critical patch affects Internet Explorer and appears to be a cumulative update, Protas said.
"Microsoft is quick to patch these types of Internet Explorer vulnerabilities," according to Schultze. "The likelihood of being hacked is slim because we don't see these vulnerabilities being exploited in widespread attacks, and if they are exploited, it's a very small group of people who get hit."
The third critical flaw, which impacts the DirectX video functions, could be exploited when a visitor clicks on a malicious graphic or video image on a website, Schultze added.
"These can be pretty nasty depending on the difficulty in exploiting it," Protas said. "It also affects every Microsoft operating system, which is interesting."
Out of the remaining vulnerabilities, an “important” flaw impacts the Windows Internet Name Service (WINS), Microsoft's implementation of the NetBIOS name service, Active Directory and the Pragmatic General Multicast (PGM) protocol, which is a multicast transport protocol. All three could cause a denial-of-service on the impacted Windows PC, according to Microsoft.
Although Microsoft has listed it as a moderate flaw, Protas said he is interested to see which ActiveX controls will be given kill-bit capabilities, which allow users to set flags that prevent execution of some ActiveX controls while running Internet Explorer.