Some people send roses on Valentine’s Day. This year, Microsoft is giving Windows users a bouquet of security fixes as the regularly scheduled Patch Tuesday release falls on February 14.
The Febuary Patch Tuesday update includes nine security bulletins that fix 21 security vulnerabilities. At the top of the February Patch Tuesday update is a cumulative security update for Internet Explorer (IE) web browser that fixes four flaws, two of which are rated as being critical. The IE flaws affect multiple IE versions including IE 6, 7, 8, and 9.
“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer,” Microsoft warns in its advisory. “An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user.”
According to Microsoft, all of the IE flaws were properly reported to Microsoft and none of them are currently being exploited. That’s not the case with another of the critical patch bulletins — for which exploit code is likely already available, according to Microsoft.
Microsoft has identified vulnerabilities in Windows Kernel-Mode Drivers that could allow remote code execution. The kernel-mode flaws could be exploited if a user is directed to a malicious website by an attacker.
The other critical patch updates include a vulnerability in the C Run-Time library and vulnerabilities in Microsoft’s Silverlight and .NET media frameworks. According to Marcus Carey, security researcher at Rapid7, all of the critical bulletins will likely affect all organizations. The critical bulletins are all related to browsers and media players, and are the most likely to result in a compromise via end-user interaction.
“All the critical bulletins are primed for phishing attacks, which can result in a complete compromise of the user’s and organization’s data,” Carey told InternetNews.com.
Overall, Carey says that organizations should expect that the long-standing trend of web browser and media player exploits will continue.
“Regardless of announced vulnerabilities, organizations should enforce policy and processes that reduce risk related to browser and media player exploits,” Carey said. “The problem with browser and media player compromises is that the end-user is unaware that they have been compromised, which can lead to the kind of long-term breaches we see reported in the news these days.”
In addition to the four critical bulletins, the February Patch Tuesday update includes five bulletins rated as ‘Important’ by Microsoft.
One of the Important bulletins deals with an vulnerability in the color control panel, which could potentially lead to a remote code execution.
“A remote code execution vulnerability exists in the way that the Color Control Panel handles the loading of DLL files,” Microsoft warns in its advisory. “An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
The vulnerability is related to a class of exploits that Microsoft first warned about in August of 2010, about insecure library loading.
There is also important bulletin for a remote code execution flaw in Visio.
“Visio is usually used by system administrators and network administrators, which could be very rewarding for an attacker if they were able to compromise Visio users,” Carey said.
Photography courtesy of Yoko Nekonomania.