Microsoft released fixes for 21 security vulnerabilities as part of this month’s Patch Tuesday.
The vulnerabilities are covered in nine separate bulletins, including four that are rated ‘Critical.’ The most serious of the updates is MS12-010, opined Jim Walter, manager of the McAfee Threat Intelligence Service at McAfee Labs. Aimed at Internet Explorer, the update fixes four privately reported vulnerabilities.
“The Internet Explorer bulleting should be considered a top priority, as there’s a risk of code execution attacks,” Walter said. “If not attended to, browser exploits can be particularly harmful.”
Other security experts however said MS12-013 – which resolves a bug in the Microsoft C runtime-library – is the most interesting.
“At first glance, this bulletin looks like bad news, but so far the only attack vector is via Microsoft Media Player,” noted Andrew Storms, director of security operations for nCircle. “Patch this one right after you patch Internet Explorer—attackers will probably have exploits for this very shortly.”
The other critical bulletins include MS12-008, which addressed two vulnerabilities in Windows, and MS12-016, which fixes issues affecting the .NET Framework and Microsoft Silverlight that can be exploited to allow an attacker to remotely execute code.
The other five bulletins were rated ‘Important’, and affect Windows, Microsoft Office and Microsoft Server Software.
“Organizations should expect the trend of web browser and media player exploits to continue,” said Marcus Carey, security researcher at Rapid7. “Regardless of announced vulnerabilities, organizations should enforce policy and processes that reduce risk related to browser and media player exploits. The problem with browser and media player compromises is that the end-user is unaware that they have been compromised, which can lead to the kind of long term breaches we see reported in the news these days.”
