Microsoft addressed 22 flaws with 12 separate bulletins in February’s edition of Patch
Tuesday, including three bulletins that were rated critical with the remaining nine
rated as important. Among the programs affected are Microsoft Windows, Internet
Explorer, Office, Visual Studio, and IIS.
The first patch receiving a critical rating is a cumulative
security update for Internet Explorer,MS11-003, which
affects Windows and Internet Explorer. The vulnerabilities could
allow remote code execution if a user views a specially crafted Web page using
Internet Explorer or if a user opens a legitimate HTML file that loads a
specially crafted library file. An attacker who successfully exploited any of
these vulnerabilities could gain the same user rights as the local user.
Accounts with limited user rights on a system would be less affected than those
with administrative access.
MS11-006,
a vulnerability in Windows shell graphics processing could allow remote
code execution if a user views a specifically crafted thumbnail image,
and it resolves a publicly disclosed vulnerability. If exploited, an attacker
can gain the same rights as the logged in user, and as usual, the fewer rights a
user has the less impacted he/she will be.
The final critical vulnerability isMS11-007, a bug in the OpenType compact font
format (CFF) driver that again could allow remote code execution to any user who views content rendered in a specially crafted CFF
font. To exploit this vulnerability, an attacker would need to persuade users
visit the attacker’s website by convincing them to click a link, typically in
an email or instant message.
The remaining patches are all rated important. MS11-004 resolves a publicly disclosed
vulnerability in Microsoft Internet Information Services (IIS) FTP Service that
could allow remote code execution if an FTP server receives specially crafted
commands. MS11-005 resolves a
bug that could allow an attacker to launch a DoS if the attacker sent a
specifically crafted packet to an affected Active Directory server. Two
privately reported bugs are resolved in MS11-008. These could
allow an attacker remote code execution with the same user rights as the logged
in user given they opened a specifically crafted Visio file. MS11-009 resolves a
privately reported vulnerability in the JScript and VBScript scripting engines
that. The vulnerability could allow information disclosure if a user visited a
specially crafted Web site. Again, an attacker would have to trick the user
into following a link via email or some messaging platform.
The five remaining vulnerabilities all address issues in windows
that could lead to an elevation of privileges. MS11-010 resolves a privately reported
vulnerability in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS)
in Windows XP and Windows Server 2003 that could
allow elevation of privilege if an attacker logs on to a user’s system and
starts a specially crafted application that continues running after the
attacker logs off in order to obtain the logon credentials of subsequent users.
MS11-011 resolves one publicly
disclosed vulnerability and one privately reported vulnerability that could allow elevation of privilege if an attacker logged
on locally and ran a specially crafted application. MS11-012 resolves five
privately reported vulnerabilities that could allow elevation of privilege if an attacker logged on
locally and ran a specially crafted application.
MS11-013 resolves one privately
reported vulnerability and one publicly disclosed vulnerability, the more
severe of these vulnerabilities could allow elevation of privilege if a local,
authenticated attacker installs a malicious service on a domain-joined computer.
MS11-014
resolves a privately
reported vulnerability in the Local Security Authority Subsystem Service
(LSASS) in Windows XP and Windows Server 2003 that could allow elevation of
privilege if an attacker logs on to a system and runs a specially crafted
application.