03-14-13 | Blog Post
On Tuesday, Microsoft released their security bulletin for the month of March. This marks the second month in a row that Microsoft has needed a cumulative security update for Internet Explorer, again patching remote code execution vulnerabilities within the browser. Of the seven updates, four are considered critical, the others rated important.
The update for Internet Explorer patches nine vulnerabilities, one of which was publicly disclosed, and can be exploited in the event that a user views a specially crafted web-page using IE. This is rated critical for Internet Explorer 6-10. It will require a restart.
There were also remote code execution vulnerabilities found within Microsoft Silverlight and all supported versions of Microsoft Visio Viewer 2010. Both of these vulnerabilities at their worst could allow the attacker to gain the same rights as the user.
Last of the critical updates addresses four vulnerabilities found in Microsoft SharePoint and SharePoint Foundation. In the event that a user clicks on a specially crafted URL and goes to a targeted SharePoint site, the attacker has the potential to successfully execute an elevation of privilege exploit. Microsoft has resolved these issues by making changes to the way Microsoft SharePoint server validates URLs and user input.
The important updates include two vulnerabilities that would allow information disclosure in Microsoft Office for Mac, as well as OneNote. Lastly, there’s a kernel-mode driver vulnerability that would allow an elevation of privilege on all supported releases of Microsoft windows, in the event that the attacker is able to get physical access to the system.
Again, one of the biggest and best practices to lower the risk to your company being affected by similar issues would be to only give users as many rights within a system as absolutely necessary. Keeping users at a level of need-to-know means that if a an attacker does end up successfully allowing a remote code execution exploit, their access is still limited. As Thu wrote in an earlier blog, people are the weakest link in security, and limiting access is a good way to address that, along with security training and policies.
Related Links:
February Microsoft Security Updates
Internet Explorer takes the spotlight in this month’s Microsoft Security Updates. There were 12 updates for February, 5 of which are considered critical. Here’s the lowdown on the five critical vulnerabilities covered on Tuesday. Cumulative Security Update for Internet Explorer … Continue reading →
January Microsoft Security Updates
In January’s Microsoft security updates, there are two critical patches to speak of. The first is a vulnerability in Windows Print Spooler components, where a print server that receives a specially crafted print job could allow for remote code execution. … Continue reading →
December Microsoft Security Update
December’s Microsoft security updates were published Tuesday, the 11th. There were seven patches, predominantly regarding remote code execution in Office, Windows, and IE. In Internet Explorer there were critical vulnerabilities, the worst of which, caused by a user going to … Continue reading →
November Microsoft Security Update
This Tuesday Microsoft released their November updates, with a few critical patches to take a look at. The biggest updates involved three vulnerabilities within Internet Explorer, as well as the first updates for all Windows releases, including Windows 8. The … Continue reading →
