Microsoft repaired a bevy of critical flaws in Internet Explorer and plugged a vulnerability in the Windows Kernel driver that could enable USB attacks regardless of whether the Windows Autorun feature is disabled.
The software giant issued seven bulletins in its March 2013 Patch Tuesday, with four critical security bulletins, repairing 20 coding errors in Windows, Internet Explorer, SharePoint, Office and OneNote.
Microsoft repaired 9 vulnerabilities in Internet Explorer. One of the coding errors is a publicly disclosed zero-day flaw in Internet Explorer 8, the company said. The flaws can be used in drive-by attacks if an attacker lures victim's to a malicious website, Microsoft said. The flaws enable cybercriminals to bypass security restrictions built into the browser. An attacker can exploit the flaws to gain the same user rights as the victim, Microsoft said. The Internet Explorer vulnerabilities affect all currently supported versions of IE, including the company's latest version, IE 10.
The vulnerabilities addressed by Microsoft do not include those exploited by security researchers at the recent Pwn2Own hacking competition at the CanSecWest Conference in Vancouver. One of the attacks used by security research firm VUPEN against IE had three flaws in one, bypassing browser security mechanisms to gain access to the system.
Microsoft is now releasing patches for its browser every month, getting away from its previous cycle of patching IE every other month, said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle Security.
"I don't think it's any surprise that there is a backlog of IE bugs, just like any browser has bugs in it," Storms said. "They're recognizing the value of a secure browser and trying to keep up with Google and Mozilla that have automatic update mechanisms."
Microsoft also addressed a critical vulnerability in Silverlight, the company's multimedia Web application framework. Silverlight is installed to run video streaming from Netflix and other services. The remote code execution flaw could be exploited by visiting a malicious website or carried out by injecting code in user-hosted content or banner advertisements. The company said attacks can be carried out by tricking users to click on a malicious link in an email message or an instant message.
The Silverlight security update is rated critical for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all supported releases of Microsoft Windows, the company said. Successfully exploiting the flaw enables an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.
NEXT: Windows Kernel Flaw Enables USB Attack