Microsoft patch targets Internet Explorer drive-by attacks
Internet Explorer vulnerabilities warrant notice in this month's set of Microsoft Patch Tuesday bulletins and need to be fixed quickly even though the sheer number of patches may seem daunting.
The weaknesses leave users open to drive-by attacks where malicious code is downloaded without the user's knowledge while browsing. Not patching them because they are time-consuming will just widen the window of opportunity hackers have to exploit them, says Alex Horan, a senior product manager at CORE Security.
"Preventing future drive-by style attacks and protecting end-users appear to be the theme of this month's Patch Tuesday," Horan says. "These patches can be a hassle for users to deploy and have the potential to create a long enough delay where hackers can take advantage."
So far the weaknesses haven't been exploited. "Fortunately, this issue has no known attacks in the wild," says Paul Henry, a security and forensic analyst at Lumension. "However, you should still plan to patch this immediately. "
Four of seven bulletins for March are rated critical, with the first addressing browser problems. "It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT," says Qualys CTO Wolfgang Kandek.
Microsoft's Silverlight media application framework is also critically vulnerable, according to the company's Security Bulletin Advance Notification. It affects Silverlight whether deployed on Windows or Mac OS X operating systems, where it is used to run media applications such as Netflix, Kandek says.
This vulnerability is more of concern to consumers because it only affects the Silverlight plug-in. Henry says plug-ins should be avoided in general. "[T]hey add another threat vector and are frequently an easy target for the bad guys," he says.
Also in critical need of patching is Microsoft's drawing application Visio, which comes as a surprise to Kandek. "It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the 'critical' rating," he says.
Critical vulnerabilities are those that could allow code execution without user interaction if they are successfully exploited. This type of exploit includes network worms, browsing to infected Web pages or opening infected emails.
The final critical vulnerability lies in SharePoint Server, Microsoft says.
Three of the bulletins are rated important and include two that could allow data to leak and one that could allow attackers to elevate privileges on an exploited machine. Important bulletins include vulnerabilities that could lead to compromised confidentiality, integrity or availability of user data, or of the integrity or availability of processing resources, Microsoft says. Such exploits may include warnings or prompts.