Nine bulletins from Microsoft on Patch Tuesday, as Adobe fixes critical flaw in Shockwave

Microsoft released nine bulletins to hide 21 vulnerabilities in this month's Patch Tuesday.

As revealed by SC Magazine last week, four of the bulletins were rated as critical and covered 21 vulnerabilities in Windows, Office, Internet Explorer and .NET/Silverlight. Per Microsoft Trustworthy Computing spokesperson Angela Gunn, customers should plan to put in all of those updates once possible.

She recommended focusing first on two critical updates: MS12-010 and MS12-013. MS12-010 is an update for Internet Explorer and addresses two critical, one important and one moderate issue that has effects on all versions; the foremost severe could allow for remote code execution if an attacker were to convince a user to go to a maliciously constructed site, but Microsoft said that it knew of no active exploitation within the wild.

MS12-013 fixes a difficulty that may arise if an attacker sent a malicious media file to a targeted user, or convinced the user to go to an online page hosting one of these file.

Tyler Reguly, technical manager of security research and development at nCircle, said MS12-013 was probably the most interesting bulletin "as people are prone to see this critical vulnerability and freak out". “However, you have to note that the attack vector is proscribed. It isn't great news, however does improve the placement,” he said.

Andrew Storms, director of security operations at nCircle, said: “IT security teams aren't getting any candy hearts from Microsoft today; instead, every version of Internet Explorer gets an update. Typically, we predict newer versions of IE to be a bit safer but that is not the case this month.

“We also are getting another ‘nasty gram' with MS12-013, a bug within the Microsoft C runtime library. At first glance, this bulletin seems like bad news, but to date the sole attack vector is via Microsoft Media Player. Patch this one right once you patch Internet Explorer, attackers will probably have exploits for this very shortly.”

Wolfgang Kandek, CTO of Qualys, said: “Some of the nine bulletins need to be less worrisome to IT admins: the Office vulnerability (MS12-015) is within the relatively rare Visio viewer program, MS12-011 is an XSS vulnerability in Sharepoint and MS12-014 and MS12-012 cover DLL preloading vulnerabilities, one within the now deprecated Indeo Codec and any other one inside the Color Control Panel.

“MS12-016 should even be broadly considered. It applies to workstations, servers or even Macs; all instances of the .NET framework and Silverlight are vulnerable. Users browsing to malicious websites could be affected after which allow remote code execution.

“Server administrators are looking to have a look: if their users are allowed to upload their very own ASP.NET files to run at the machine and if the server runs under a fully trusted setting, the attacker could get away of the ASP.NET sandbox and take control of the server.”

Paul Henry, security and forensic analyst at Lumension, said: “All in all, it is a pretty sweet Valentine's Day. We've had two fairly light patching periods in a row, with just seven from Microsoft last month. Clearly, the company's renewed focus is paying off. Now if folks would just follow through and patch.

“The light patch load from Microsoft doesn't mean it might probably relax and relax, however. a major patch update from Oracle came out recently and, as always, threats targeting Java have to be addressed, as currently it's the prime attack vector of the ‘bad guys'.”

Adobe also released a patch yesterday for a critical severity in Shockwave and a necessary severity in RoboHelp for Word. The Shockwave patch addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions at the Windows and Macintosh operating systems; Adobe claimed that these vulnerabilities could allow an attacker to run malicious code at the affected system.

The important patch in RoboHelp 9 (or 8) for Word on Windows covers a vulnerability whereby a specially crafted URL can be used to create a cross-site scripting attack on web-based output.