Microsoft Patch Tuesday Fixes Critical Internet Explorer Flaws, USB Attacks


A vulnerability in Microsoft Visio Viewer 2010 that can be remotely exploited was addressed in Microsoft Office. Visio Viewer is Microsoft's rendering engine in Office to enable users to view plans, drawings, charts and other architectural documents created in Microsoft Visio. The critical flaw can be exploited if an attacker passes a malicious Visio file to the victim. The attacker would gain the same user rights as the current user, Microsoft said.

Four critical server-side vulnerabilities were repaired in Microsoft SharePoint and SharePoint Foundation. The most severe vulnerabilities allow elevation of privilege if a user clicks a malicious URL that takes the user to an infected SharePoint site, Microsoft said. In one of the attack scenarios, malicious code would execute if a system administrator reviewed search strings in SharePoint, security experts said. A denial-of-service flaw can cause the SharePoint site to crash, requiring a manual restart.

Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor Qualys Inc., pointed to a Windows Kernel update as one that should rank high on the priority list. The Windows Kernel security update addresses three vulnerabilities that can give an attacker elevated privileges. The update is rated important for Windows XP, Vista, Windows 7 and 8 and Windows Server 2008 and 2012.

The update can be used by an attacker in a USB attack and implemented whether or not the USB Autorun feature is disabled, Kandek said. Individuals who leave their systems at the office or don't continually have their system in sight are most at risk of an attack, he said. In corporate environments, system administrators can turn off USB drives to systems while the patch gets tested prior to deployment.

"If you leave your computer in your hotel room, somebody can come in and easily get control over your computer with the attack," Kandek said.

In addition, Microsoft addressed a flaw in Office for Mac that could result in information disclosure, as well as a flaw in Microsoft OneNote that can result in information disclosure if an attacker convinces a user to open a specially crafted OneNote file.

In February, Microsoft fixed 13 vulnerabilities in Internet Explorer and repaired critical errors in Microsoft Exchange Server. The February update addressed 57 vulnerabilities in Microsoft software.

PUBLISHED MARCH 12, 2013