Microsoft released nine security updates Tuesday, four critical; five important, fixing 21 different holes in various applications with its February patch release. The four critical fixes deal with vulnerabilities in the company’s Windows, Internet Explorer, .NET Framework and Silverlight programs that could allow remote code execution if left unpatched.
Microsoft considers MS12-010 and MS120-013 as the update’s top priority bulletins.
MS12-010 addresses four issues in Internet Explorer, two critical, one important and one moderate. The two critical issues could allow an attacker the same rights as a logged-on user while the other two could allow an attacker to view content remotely or via the browser’s processed memory.
In MS12-010, if a user were to open a specially crafted media file in Windows, it could lead to a buffer overflow in the C++ Run-Time Library. Alexander Gavrun, working with TippingPoint’s Zero Day Initiative, disclosed an issue with the vulnerability, yet Microsoft claims it isn’t actively being exploited in the wild.
Some of the other fixes involve a flaw (MS12-015) in the less-used Visio Viewer where an attacker could gain access if a specially crafted Visio file was opened. A vulnerability (MS12-014) in Indeo Codec could allow an attacker to run arbitrary code as the logged on user if an .AVI file was opened in the same directory as a .DLL file. Similarly, in Windows’ Color Control Panel, if a user opened an .ICM or .ICC file in the same directory as a .DLL file, an attacker could gain control of their computer (MS12-012).
Two of the vulnerabilities marked ‘Important’ by Microsoft deal with flaws in Windows’ Ancillary Function Driver (MS12-009) and Microsoft Office and Server’s Sharepoint (MS12-011). Both of these vulnerabilities could allow elevation of privilege, according to the company, if an attacker ran a malicious application for MS12-009 or encountered an XSS vulnerability in Sharepoint (MS12-011).
The monthly update is Microsoft’s last batch of updates before this year’s Pwn2Own competition, an annual hacking contest held the first week of March at Vancouver’s CanSecWest Conference. Each year entrants attempt to hack browsers like Microsoft’s Internet Explorer and Mozilla’s Firefox in the challenge run by TippingPoint.
It was around this time last year that Stephen Fewer, now with Harmony Security, bypassed Internet Explorer 8’s DEP and ASLR to execute a successful exploit in the browser on Windows 7.