Internet Explorer takes the spotlight in this month’s Microsoft Security Updates. There were 12 updates for February, 5 of which are considered critical. Here’s the lowdown on the five critical vulnerabilities covered on Tuesday.
Cumulative Security Update for Internet Explorer and a Vulnerability in the Vector Markup Language
Both of these updates are relevant for IE 6-10, and both are to protect against vulnerabilities that could allow for remote code execution. If a user visits a specially crafted web page within Internet Explorer, an attacker could be given the same level of rights reserved for the user. All of these issues are related to the way IE handles objects in memory, and should be applied immediately.
Vulnerability in Media Decompression
This came from a publicly disclosed vulnerability in Microsoft Windows. This is a critical update for all editions of Windows XP, Windows Server 2003 and 2008, as well as Vista. Another remote code execution patch, this vulnerability could be exploited if a user opened a specially crafted media file, an Office document with embedded media files, or streaming content. This issues was corrected by focusing on the way DirectShow handles specially made media content. This may require a restart.
Vulnerabilities in Microsoft Exchange Server
This update affects supported editions of Microsoft Exchange Server 2007 and 2010, and is also considered critical. If a user previews a special file using Outlook Web App, it could allow a remote code execution attack. This patch may require a restart, and updates the affected Oracle Outside to a protected version.
Vulnerability In OLE Automation
The last critical vulnerability involves Windows Object Linking and Embedding Automation where a user opening a specially crafted file could be exploited, giving the attacker the same level of rights. This is relevant to Windows XP Service Pack 3, and will require a restart.
With remote code execution exploits, one of the biggest and easiest ways to help lower the risk of unauthorized access is to make sure each user is set to have their permissions on a need-to-know basis. Regulating who gets administrative vs. restricted user access means even if there is a successful attack, there is a limited amount of data the attacker can access.
The report, including a more detailed description of the updates, and the non-critical patches, can be found here.
January Microsoft Security Updates
In January’s Microsoft security updates, there are two critical patches to speak of. The first is a vulnerability in Windows Print Spooler components, where a print server that receives a specially crafted print job could allow for remote code execution. … Continue reading →
December Microsoft Security Update
December’s Microsoft security updates were published Tuesday, the 11th. There were seven patches, predominantly regarding remote code execution in Office, Windows, and IE. In Internet Explorer there were critical vulnerabilities, the worst of which, caused by a user going to … Continue reading →
November Microsoft Security Update
This Tuesday Microsoft released their November updates, with a few critical patches to take a look at. The biggest updates involved three vulnerabilities within Internet Explorer, as well as the first updates for all Windows releases, including Windows 8. The … Continue reading →