After releasing 12 security bulletins resolving a whopping 57 security flaws last month, this month’s Patch Tuesday is relatively light.
For March, Microsoft unveils seven bulletins, in which four are rated Critical and three Important. Three of the bulletins deemed Critical may allow remote code execution, resulting to attackers installing malware onto unpatched systems. The other critical bulletin may permit possible aggressors to gain admin rights, basically giving them control over vulnerable machines.
The first of these Critical bulletins addresses flaws found on Internet Explorer versions 6 to 10 for all versions of Windows, including Windows 8. In particular, Microsoft noted CVE-2013-2888 as its exploit code is said to be publicly available, giving possible attackers enough information to create working exploits in the near future.
The other critical bulletins concern Microsoft Silverlight, Office and Server Software. Two bulletins tagged as Important, both for Microsoft Office, may lead to unwanted exposure of important and personal data. The last Important bulletin addressing vulnerability in Windows may lead to elevation of privileges.
However, this month’s roster of bulletins does not address the IE 10 vulnerabilities found during the Pwn2Own hacking contest last week, in which researchers were able to pawn MS Surface Pro by way of these IE flaws. More importantly, abusing these zero-day vulnerabilities enabled them to fully compromise Windows 8 with sandbox bypass.
We highly recommend security administrators and users everywhere to apply these security updates the soonest. Trend Micro Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plugin users are protected from any attacks that may leverage these vulnerabilities. For more information on the bulletins and corresponding Trend Micro solutions, visit the Threat Encyclopedia Page.