On February 14th, Microsoft announced nine patches designed to correct 21 vulnerabilities, four of them considered critical by the security analysts. Among the patches delivered for the users is the security update filed under the MS12-010 codename, which addresses four Internet Explorer vulnerabilities. This patch is valuable for all the Explorer versions still in use, as the Microsoft’s popular browser is believed to be a preferred environment for many malware that use it to spread.
As Dan Kaplan from SC Magazine puts it, “an exploit of any of these flaws could result in drive-by download attacks in which users are infected simply by visiting a malicious website.”
Another update that has the “critical” status is MS12-013. The Microsoft’s official bulletin explains it addresses a privately reported vulnerability in the C Run-Time Library, and the update supports Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. “The vulnerability could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment. An attacker who successfully exploited the vulnerability could gain the same user rights as the local user,” details Microsoft. Apparently the users who operate under administrative rights are more at risk than the regular users.
Andrew Storms, director of security operations at vulnerability management firm nCircle has a more cynical approach to the whole situation that is meant to reassure and then instantly trouble the users. “At first glance, this bulletin looks like bad news, but so far the only attack vector is via Microsoft Media Player,” he said, adding that “”Patch this one right after you patch Internet Explorer — attackers will probably have exploits for this very shortly.”
Somewhere by the end of the bulletin, Microsoft lest its fans know that the company released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.