Microsoft Fixes Critical Exchange Server, Internet Explorer Flaws


Microsoft Tuesday addressed a serious graphics zero-day vulnerability and a bevy of critical vulnerabilities in Internet Explorer in its latest round of security patches.

The February 2013 Patch Tuesday updates included both server and client side products. The software giant issued 12 bulletins, five critical, addressing 57 vulnerabilities in Microsoft Windows, Office, IE, Exchange and the .NET Framework.

The company repaired a remote code execution zero-day vulnerability in the Windows implementation of Vector Markup Language, an XML-based file format used by IE to display two-dimensional graphics. The flaw was detected following an attack used to gather information, vulnerability management experts said. According to the MS13-010 bulletin, an attacker would need to trick a victim into viewing a malicious Web page and pass a malicious file into IE's rendering engine. The update impacts all currently supported versions of IE.

[Related: Adobe Issues Emergency Patch For Flash Player Zero-Day Flaws]

"It's out there and people know about it, and it has potential to be used for something more serious," said Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor, Qualys.

Microsoft fixed 13 coding errors in IE. The MS13-009 bulletin addresses remote code execution vulnerabilities that can be exploited by an attacker in drive-by attacks. The update affects all currently supported versions of the Microsoft browser. All the issues were privately disclosed, Microsoft said.

Microsoft also addressed a critical vulnerability in Microsoft Office that could be used by sharing a malicious PowerPoint file. In its MS13-011 bulletin, the software giant said the Direct Show media decompression vulnerability had been publicly disclosed. The vulnerability can be exploited by embedding a media file or streaming content within the PowerPoint document. The flaw gives the attacker the same user rights as the victim. The update impacts all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

Proof-of-concept code is publicly available for the vulnerability, according to Microsoft. The issue may have more of an impact on Microsoft users in Asia, said Qualys' Kandek. A media codec, more common in that region has to be installed in order for an attack to work, he said.

A critical security update also addressed serious flaw in its Windows Object Linking and Embedding (OLE) Automation implementation. OLE is used to exchange data between processes on a Windows machine. The MS13-020 bulletin repairs a remote code execution vulnerability that can be exploited by an attacker by sending a malicious file to the victim in an email attachment or thumb drive. The security update is critical for Windows XP Service Pack 3.

A server-side update included a repair for a critical vulnerability in Exchange Server that could allow remote code execution for users of Outlook Web Access. The issue addressed in the MS13-012 bulletin, stems from a third-party vulnerability in a library maintained by Oracle, which renders certain WebReady documents within the Web version of Outlook. The issue impacts users of Outlook 2007 and 2010.

The other two server-side updates were rated Important. Microsoft addressed vulnerabilities in FAST Search Server 2010 for SharePoint, which could allow remote code execution. The issue only impacts users who have the Advanced Filter Pack enabled. A security update also addresses the Microsoft Network File System Server, which could be used by an attacker to crash the server.

Other updates included bulletins that addressed vulnerabilities in the Windows Kernel, a TCP/IP flaw that could allow a denial-of-service condition and an error in the .NET Framework that could be exploited to elevate privileges.

PUBLISHED FEB. 12, 2013