Microsoft Ships 12 Bulletins in February's Patch Tuesday

Microsoft addressed 22 flaws with 12 separate bulletins in February’s edition of Patch Tuesday, including three bulletins that were rated critical with the remaining nine rated as important. Among the programs affected are Microsoft Windows, Internet Explorer, Office, Visual Studio, and IIS.

The first patch receiving a critical rating is a cumulative security update for Internet Explorer,MS11-003, which affects Windows and Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user opens a legitimate HTML file that loads a specially crafted library file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Accounts with limited user rights on a system would be less affected than those with administrative access.

MS11-006, a vulnerability in Windows shell graphics processing could allow remote code execution if a user views a specifically crafted thumbnail image, and it resolves a publicly disclosed vulnerability. If exploited, an attacker can gain the same rights as the logged in user, and as usual, the fewer rights a user has the less impacted he/she will be.

The final critical vulnerability isMS11-007, a bug in the OpenType compact font format (CFF) driver that again could allow remote code execution to any user who views content rendered in a specially crafted CFF font. To exploit this vulnerability, an attacker would need to persuade users visit the attacker’s website by convincing them to click a link, typically in an email or instant message.

The remaining patches are all rated important. MS11-004 resolves a publicly disclosed vulnerability in Microsoft Internet Information Services (IIS) FTP Service that could allow remote code execution if an FTP server receives specially crafted commands. MS11-005 resolves a bug that could allow an attacker to launch a DoS if the attacker sent a specifically crafted packet to an affected Active Directory server. Two privately reported bugs are resolved in MS11-008. These could allow an attacker remote code execution with the same user rights as the logged in user given they opened a specifically crafted Visio file. MS11-009 resolves a privately reported vulnerability in the JScript and VBScript scripting engines that. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. Again, an attacker would have to trick the user into following a link via email or some messaging platform.

The five remaining vulnerabilities all address issues in windows that could lead to an elevation of privileges. MS11-010 resolves a privately reported vulnerability in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003 that could allow elevation of privilege if an attacker logs on to a user's system and starts a specially crafted application that continues running after the attacker logs off in order to obtain the logon credentials of subsequent users. MS11-011 resolves one publicly disclosed vulnerability and one privately reported vulnerability that could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. MS11-012 resolves five privately reported vulnerabilities that could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application.

MS11-013 resolves one privately reported vulnerability and one publicly disclosed vulnerability, the more severe of these vulnerabilities could allow elevation of privilege if a local, authenticated attacker installs a malicious service on a domain-joined computer. MS11-014 resolves a privately reported vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003 that could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.

Commenting on this Article is closed.