Microsoft Fixes 28 Security Bugs For Patch Tuesday

Microsoft Office

The security fixes are part of Microsoft's regular monthly patch release, issued on the second Tuesday of every month, known as Patch Tuesday.

Six of the updates, repairing a total of 23 errors, were deemed critical, which means that potential cyber attackers have the ability to execute malicious code remotely that could shut down or completely take control of a user's PC. Specifically, the critical patches plug holes in different versions of Microsoft's Windows operating system, as well as Internet Explorer and Microsoft Word and Excel applications.

Experts say that one of the most serious bugs repaired by Microsoft's December patch bulletin was a vulnerability found in GDI that could be exploited if a user opens a malicious WMF image file. What makes this vulnerability particularly dangerous is that the user would only have to view a Web page containing a malicious image in order to become infected, experts say.

"It's a graphical interpretation that's deep within the operating system, and it's very easy for you to trigger it," said Wolfgang Kandek, CTO of security company Qualys. "All you have to do is go with your browser to a malicious Web site that hosts one of those images and your machine gets attacked and infected, most likely for monetary purposes."

Sponsored post

Another patch resolves two separate bugs in Windows Search. If left unpatched, a user's PC could become infected when he or she opened and saved a malicious saved-search file within Windows Explorer. A remote attacker also could infect victims by enticing a user to click on a maliciously crafted link, which is typically done by some kind of social engineering ploy. Once a user opens the specially crafted file, the attacker could then install malicious code on his or her computer or view, change or delete his or her personal data or create new accounts with full access privileges.

Microsoft also issued a broad patch addressing four security issues in Internet Explorer that could allow unsuspecting users to be the victims of a malicious attack by viewing a specially crafted Web page on the search engine.

The patch bundle included six fixes for security flaws in third-party ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files. Like many other critical flaws, these vulnerabilities enable remote attackers to launch an attack by luring victims to a Web site containing malicious content. Experts say that this flaw was particularly dangerous due to the fact that it is a third-party control, and ultimately relies on the software developers -- not the end users -- for its repair.

"It doesn't really patch the client's machine. It patches people who distribute ActiveX controls," said Amol Sarwate, manager of the vulnerabilities research lab for Qualys. "[In theory], as an attacker, I would make use of this vulnerability, and make victims download the ActiveX control and control their machines."

In addition, the security patch fixed eight more vulnerabilities in Microsoft Word and Microsoft Office Outlook that could allow remote code execution if a user was compelled to open a malicious Word or Rich Text Format file. Similarly, the patch also fixes three reported errors in Excel that could also open the door for hackers to launch a remote attack using a specially crafted Excel file.

Meanwhile, two of the security vulnerabilities, which were given an "important" ranking, repair errors in both SharePoint and WMC. The SharePoint fix resolves a vulnerability that allows an attacker to bypass normal user authentication by browsing an administrative URL on a SharePoint site that would result in elevated user privilege status.

So far, experts say that they have not found any of the vulnerabilities to be actively exploited in the wild. Nonetheless, security experts recommend that users patch their systems as soon as possible with the most recent security updates.

"The bad guys, they take these patches and reverse engineer them. They know very quickly what is broken in the version before. A day or two from now we could see these attacks being exploited," Kandek said.

"In general, we think patching is vital," Kandek added. "All these worms have used known vulnerabilities. If you had applied patches, this would not have happened."