Microsoft will repair critical vulnerabilities in Internet Explorer and other serious flaws in Office and SharePoint Server during its Patch Tuesday updates scheduled for March 12.
The software giant said it would issue seven bulletins next week, four critical and three important, as part of its March 2013 round of scheduled security updates. The issues impact all currently supported versions of Microsoft Windows, the company said in its Advance Notification issued today.
The critical coding errors include remote code execution vulnerabilities and an elevation of privilege flaw. The update also addresses information disclosure errors. Several of the updates, including those slated for its server software, may require a restart, Microsoft said.
Vulnerability management experts said the update to Internet Explorer and Silverlight indicates that the software maker is attempting to protect users from drive-by attacks. Alex Horan, senior product manager, CORE Security, said in a statement that the slew of end-user patches required to fix the errors could make patching difficult for administrators. "These patches can be a hassle for users to deploy and have the potential to create a long enough delay where hackers can take advantage," Horan said in a statement.
Wolfgang Kandek, CTO of vulnerability management vendor Qualys, said the issues with Microsoft Office could be serious. The update affiliated with Office includes repairs to Visio and Office Filter Pack, which usually requires extensive user interaction, such as opening an infected file, in order for a cybercriminal to carry out an attack, Kandek wrote in the company blog. "It will be interesting to see the attack vector for this vulnerability that warrants the 'critical' rating," he wrote.
Microsoft issued 12 security bulletins in February, addressing 57 flaws in Microsoft Windows, Office, Exchange and the .NET Framework. The update last month included a repair for a serious graphic Zero-day vulnerability and 13 critical coding errors in Internet Explorer in the wake of drive-by attacks targeting the browser.
PUBLISHED MARCH 7, 2013