ID: IRCNE2012021406
Date: 2012-02-15
According to “ComputerWorld”, Microsoft yesterday issued nine security updates that patched 21 vulnerabilities in Windows, Internet Explorer (IE), Office, .Net, Silverlight and SharePoint Server, including several critical bugs that can be exploited with drive-by attacks.
Four of the nine updates were labeled "critical," Microsoft's highest threat ranking; the others were marked "important." Of the 21 total vulnerabilities, Microsoft classified six as critical, 14 as important and one as "moderate," a step below important on the company's four-step rating system.
MS12-010, which included fixes for four vulnerabilities in IE, and MS12-013, a one-patch update to Windows Vista, Windows 7, Server 2008 and Server 2008 R2, were unanimously selected by both Microsoft and independent security researchers as the two to deploy immediately.
Three of the four bugs addressed by MS12-010 can be exploited with "drive-by" attacks, the term that describes exploits that only require an IE user to be drawn to a malicious website to trigger the vulnerability.
MS12-008 patches a critical flaw in Microsoft's C Run-Time Library, a dynamic link library (dll) that ships with most versions of Windows, and is used by both Microsoft and third-party developers.
"MS12-013 looks quite nasty and ominous," said Andrew Storms, director of security research at nCircle Security. "But the Security Research & Defense blog brought our feet back to the ground by describing that the only way to exploit [the vulnerability] is through Windows Media Player," added Storms.
Attackers must convince victims to either download and open a malformed Media Player file, or visit a malicious website that hosts such a file, said Microsoft in the blog Storms referenced.
Microsoft today also patched vulnerabilities in Visio, a relatively little-used member of the Office family; in a Windows kernel-mode driver; in SharePoint Server; in the .Net and Silverlight frameworks; and in other products in its portfolio.
February's nine security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Related Links:
Patch Tuesday heads-up: 21 vulnerabilities, including 'critical' IE bulletin
- 2