Microsoft sent Windows administrators a little love this Valentine’s Day, issuing nine bulletins – four of which are deemed critical – intended to fix 21 vulnerabilities spread across Windows Server 2008 R2, desktop Windows, Sharepoint and Internet Explorer.
Two of the critical fixes administrators should consider applying immediately, in the opinion of some observers, are security updates to Windows Server, Windows desktop, and Internet Explorer. The first, called MS12-013, addresses a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted media file hosted on a website or sent as an email attachment. If successful, an attacker could gain the same user rights as the local user.
“This bulletin addresses a vulnerability in the C Run-Time Library. If an attacker entices a user to open a malicious media file, the attacker can gain full access to a system. In this new media and social media age, media file attack vectors are just as important as browser attack vectors when it comes to patching security vulnerabilities,” said Jason Miller, manager of research and development for VMware.
The second, MS12-10, is also a security update designed to resolve four privately reported vulnerabilities in Internet Explorer, the most severe of which could allow remote code execution if users view a web page using Internet Explorer. As with MS12-013, attackers can potentially gain the same user rights as users who are logged on.
“As is the case with most, if not all Internet browsers, it is extremely important to patch as soon as possible as browsers are one of the most attacked pieces of software. The vulnerabilities addressed in this patch could allow an attacker to exploit the browser through malicious websites,” Miller said.
A third critical patch, MS12-008, is intended to address vulnerabilities in Windows kernel-mode drivers that leave the door open to remote code execution. This security update, also privately reported, prevents an attacker from carrying out remote code execution if a user has visited a website with “specially crafted content." This fix prevents an attacker from forcing users to visit malicious websites. Once this fix is applied, attackers would have to convince users to visit the website by getting them to click a link in an email message that takes them to that website.
A fourth Windows update, labeled important, is aimed at resolving a couple of privately reported vulnerabilities that permit an elevation of privilege if an attacker successfully logs on to a user’s system and is able to run a "specially crafted application.” An attacker however must have valid logon credentials and be able to log on locally to exploit those vulnerabilities, according to a Microsoft spokesman.
For more technical details on all the bulletins issued today, users can visit the official Microsoft TechNet page.