Microsoft Fixes Media File, Silverlight Flaws In Patch Tuesday Release
As it has in the past several Patch Tuesday cycles, Microsoft is fixing several remote code execution vulnerabilities affecting media files. The flaws patched in MS10-052 and MS10-055 are especially pernicious because they piggyback on Internet memes and rely on people's tendency to click on links in e-mail without always considering the source.
"It's the continuation of a trend," says Jason Miller, data and security team manager at Shavlik Technologies, Minneapolis, Minn. "These vulnerabilities are extremely malicious if exploited, and they're attacking a vector that people are using quite often, because media is very prevalent.
Microsoft also fixed a pair of critical vulnerabilities in Silverlight. Although Flash exploits are common, Silverlight usage isn't as widespread and hasn't represented much of a target for miscreants.
"Microsoft has put out bulletins on Silverlight in the past, but this one is a little more scary because it can lead to remote code execution," said Miller. "It'll be interesting to see if attackers starting jumping on Silverlight, because we haven't see that many targeting it previously."
MS10-056 deals with four vulnerabilities in Microsoft Word, including one that can be exploited by getting a user to click on a maliciously rigged RTF attachment, which many companies don't block because they're not typically used in attacks. For Outlook 2007 users, this flaw is even more serious.
When Outlook 2007 is configured to use Word as the default document viewer, simply opening an e-mail will trigger the exploit because the preview pane renders the RTF file. "You don’t even have to open the Word doc to get infected," said Wolfgang Kandek, CTO of Qualys, a Redwood Shores, Calif.-based security firm.
Microsoft's MS10-053 bulletin addresses six vulnerabilities in Internet Explorer, the most severe of which could be exploited through the tried-and-true method of tricking users into visiting a maliciously designed Web page. That's also true of MS10-051, which fixes a critical remote code execution vulnerability in Microsoft XML Core Services.
Although 14 security bulletins represent a new record for Microsoft, the size of this Patch Tuesday release is in line with previous August and September releases, which have tended to be larger than other months, according to Kandek.