News

9 IE Flaws Addressed in March Security Bulletin 

• By Chris Paoli
• 03/12/2013

Microsoft's monthly security update arrived today with seven bulletins that address 20 flaws across a myriad of products.

Included in the load was a "critical" cumulative security update for Microsoft's Internet Explorer. The browser security item, bulletin MS13-021, is noteworthy for the nine flaws addressed, representing the highest amount for any Internet Explorer patch to date. While Internet Explorer 10 on Windows 8 is included in the fix, Internet Explorer 10 on Windows 7 is not. This disparity could exist because IE 10 on Windows 7 was just released in February and could have already included the fix.

In any case, Microsoft's Dustin Childs advises that this bulletin should be the top priority for IT pros this month. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," wrote Childs. "An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner. All but one of these issues were privately disclosed and we have not detected any attacks or customer impact for any of the issues."

The second of four total critical items for the month, bulletin MS13-022, takes care of a flaw that could lead to a remote code execution (RCE) action in Microsoft Silverlight 5. As with the majority of RCE flaws, this one can be initiated if a user visits a malicious Web site.

As a side note, because Microsoft has stopped support for Silverlight 4, those running the older version are advised to upgrade to Silverlight 5 before patching.

Bulletin MS13-023 is a fix for one privately reported hole in Microsoft's Visio Viewer 2010 that could lead to another RCE flaw if a malicious file is opened in Microsoft Office. According to Paul Henry, security and forensic analyst at Lumension, this item, while rated critical, should not be a high priority for most users.

"It's a pretty standard-looking file type vulnerability issue," Henry wrote in an e-mailed response.  "The attack vector for this would be receiving an email with a contaminated Visio diagram, which might be useful for a spear phishing attack, but is otherwise pretty low-key as an issue."

The final critical item of March (bulletin MS13-024) takes care of four flaws in Microsoft SharePoint Server 2010 and SharePoint Foundation 2010. The most severe flaw of the four could lead to an elevation-of-privilege problem thanks to a cross-site scripting flaw that could be leveraged by attackers if harmful code were inserted into a search query.

Important Items
Microsoft's March security patch also includes the three following bulletins rated as "important":

• MS13-025: Addresses one flaw in Microsoft's OneNote 2010 that could lead to an information disclosure if a malicious OneNote file is opened.
• MS13-026: This bulletin takes care of a flaw in Microsoft Office for Mac that may lead to an information disclosure if gone unpatched.
• MS13-027: The final bulletin of the month targets three privately reported flaws in Windows' kernel drivers; the most serious of the three could be used to leverage an elevation of privilege. 

Windows Store App Security
Along with today's monthly security rollout, Microsoft sent word that Windows Store Apps for Windows 8 and RT will not be included with future security updates.  Instead, they will be rolled out separately, once available.

"This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store," wrote Mike Reavy, Microsoft Security Response Center's Senior Director, in a blog post. "Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process."