Microsoft repaired a bevy of critical flaws in Internet Explorer and plugged a vulnerability in the Windows Kernel driver that could enable USB attacks regardless of whether the Windows Autorun feature is disabled.
The software giant issued seven bulletins in its March 2013 Patch Tuesday, with four critical security bulletins, repairing 20 coding errors in Windows, Internet Explorer, SharePoint, Office and OneNote.
Microsoft repaired 9 vulnerabilities in Internet Explorer. One of the coding errors is a publicly disclosed zero-day flaw in Internet Explorer 8, the company said. The flaws can be used in drive-by attacks if an attacker lures victim's to a malicious website, Microsoft said. The flaws enable cybercriminals to bypass security restrictions built into the browser. An attacker can exploit the flaws to gain the same user rights as the victim, Microsoft said. The Internet Explorer vulnerabilities affect all currently supported versions of IE, including the company's latest version, IE 10.
The vulnerabilities addressed by Microsoft do not include those exploited by security researchers at the recent Pwn2Own hacking competition at the CanSecWest Conference in Vancouver. One of the attacks used by security research firm VUPEN against IE had three flaws in one, bypassing browser security mechanisms to gain access to the system.
Microsoft is now releasing patches for its browser every month, getting away from its previous cycle of patching IE every other month, said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle Security.
"I don't think it's any surprise that there is a backlog of IE bugs, just like any browser has bugs in it," Storms said. "They're recognizing the value of a secure browser and trying to keep up with Google and Mozilla that have automatic update mechanisms."
Microsoft also addressed a critical vulnerability in Silverlight, the company's multimedia Web application framework. Silverlight is installed to run video streaming from Netflix and other services. The remote code execution flaw could be exploited by visiting a malicious website or carried out by injecting code in user-hosted content or banner advertisements. The company said attacks can be carried out by tricking users to click on a malicious link in an email message or an instant message.
The Silverlight security update is rated critical for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all supported releases of Microsoft Windows, the company said. Successfully exploiting the flaw enables an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.
Windows Kernel Flaw Enables USB Attack
A vulnerability in Microsoft Visio Viewer 2010 that can be remotely exploited was addressed in Microsoft Office. Visio Viewer is Microsoft's rendering engine in Office to enable users to view plans, drawings, charts and other architectural documents created in Microsoft Visio. The critical flaw can be exploited if an attacker passes a malicious Visio file to the victim. The attacker would gain the same user rights as the current user, Microsoft said.
Four critical server-side vulnerabilities were repaired in Microsoft SharePoint and SharePoint Foundation. The most severe vulnerabilities allow elevation of privilege if a user clicks a malicious URL that takes the user to an infected SharePoint site, Microsoft said. In one of the attack scenarios, malicious code would execute if a system administrator reviewed search strings in SharePoint, security experts said. A denial-of-service flaw can cause the SharePoint site to crash, requiring a manual restart.
Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor Qualys Inc., pointed to a Windows Kernel update as one that should rank high on the priority list. The Windows Kernel security update addresses three vulnerabilities that can give an attacker elevated privileges. The update is rated important for Windows XP, Vista, Windows 7 and 8 and Windows Server 2008 and 2012.
The update can be used by an attacker in a USB attack and implemented whether or not the USB Autorun feature is disabled, Kandek said. Individuals who leave their systems at the office or don't continually have their system in sight are most at risk of an attack, he said. In corporate environments, system administrators can turn off USB drives to systems while the patch gets tested prior to deployment.
"If you leave your computer in your hotel room, somebody can come in and easily get control over your computer with the attack," Kandek said.
In addition, Microsoft addressed a flaw in Office for Mac that could result in information disclosure, as well as a flaw in Microsoft OneNote that can result in information disclosure if an attacker convinces a user to open a specially crafted OneNote file.
In February, Microsoft fixed 13 vulnerabilities in Internet Explorer and repaired critical errors in Microsoft Exchange Server. The February update addressed 57 vulnerabilities in Microsoft software.
PUBLISHED MARCH 12, 2013