Microsoft fixing 23 vulnerabilities in Windows, Office, Silverlight and .NET
The patches, which among other things address remote code execution vulnerabilities, include seven bulletins for Windows, Silverlight, Office and the .Net framework.
MS12-029, MS12-034 are MS12-035 are labeled by Microsoft as “critical” deployment priorities, and MS12-030, MS12-031, MS12-032 and MS12-033 are classified as “important”.
Wolfgang Kandek, CTO of security firm Qualys, said MS12-029 is the bulletin that should be “highest on the list for most organisations”, as the flaw can be used to gain control of an end-user’s machine without requiring user interaction.
“The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit,” Kandek said.
MS12-034, the second critical bulletin, addresses 10 vulnerabilities, including a flaw in the Truetype Font handling in win32k.sys that was actively exploited by the Duqu malware.
MS12-035 is the third critical bulletin and addresses a flaw in XAML Browser Applications (XBAP), a Microsoft browser based application delivery format. Kandek said it is probably the least urgent critical bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the Intranet zone of the target.
The security flaws addressed in Microsoft’s patches this month were identified by a researcher at Context Information Security, which made Microsoft aware of the vulnerabilities last March. He has been working with it since then to help fix the issues, Microsoft said.
Microsoft’s Patch Tuesday release comes after Adobe released security patches for Flash Player and Apple released a patch aimed at repairing security vulnerabilities in IOS.