Microsoft Patch Tuesday Fixes Critical Internet Explorer Flaws, USB Attacks

By Robert Westervelt
March 12, 2013 3:55 PM ET

Page 2 of 2

A vulnerability in Microsoft Visio Viewer 2010 that can be remotely exploited was addressed in Microsoft Office. Visio Viewer is Microsoft's rendering engine in Office to enable users to view plans, drawings, charts and other architectural documents created in Microsoft Visio. The critical flaw can be exploited if an attacker passes a malicious Visio file to the victim. The attacker would gain the same user rights as the current user, Microsoft said.

Four critical server-side vulnerabilities were repaired in Microsoft SharePoint and SharePoint Foundation. The most severe vulnerabilities allow elevation of privilege if a user clicks a malicious URL that takes the user to an infected SharePoint site, Microsoft said. In one of the attack scenarios, malicious code would execute if a system administrator reviewed search strings in SharePoint, security experts said. A denial-of-service flaw can cause the SharePoint site to crash, requiring a manual restart.

Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor Qualys Inc., pointed to a Windows Kernel update as one that should rank high on the priority list. The Windows Kernel security update addresses three vulnerabilities that can give an attacker elevated privileges. The update is rated important for Windows XP, Vista, Windows 7 and 8 and Windows Server 2008 and 2012.

The update can be used by an attacker in a USB attack and implemented whether or not the USB Autorun feature is disabled, Kandek said. Individuals who leave their systems at the office or don't continually have their system in sight are most at risk of an attack, he said. In corporate environments, system administrators can turn off USB drives to systems while the patch gets tested prior to deployment.

"If you leave your computer in your hotel room, somebody can come in and easily get control over your computer with the attack," Kandek said.

In addition, Microsoft addressed a flaw in Office for Mac that could result in information disclosure, as well as a flaw in Microsoft OneNote that can result in information disclosure if an attacker convinces a user to open a specially crafted OneNote file.

In February, Microsoft fixed 13 vulnerabilities in Internet Explorer and repaired critical errors in Microsoft Exchange Server. The February update addressed 57 vulnerabilities in Microsoft software.

PUBLISHED MARCH 12, 2013

<< Previous | 1 | 2

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows