On Tuesday, Microsoft released its monthly software update. This time, the release included seven security bulletins which addressed 20 vulnerabilities.
Brian Prince with eWeek reported, “Microsoft released seven security bulletins March 12 as part of its Patch Tuesday update, including a critical fix for Internet Explorer (IE). Four of the bulletins were rated ‘critical,’ while the other three were ranked as ‘important.’ All totaled, 20 vulnerabilities were fixed across Microsoft Windows, IE, Office, Server Tools and Silverlight.”
SecurityWatch’s Fahmida Y. Rashid noted, “The kernel mode driver vulnerability patched this month may seem similar to the bugs patched in February and January, but is a much more scary flaw. The flaw in the USB device driver could be triggered just by the act of someone inserting a USB drive into computer. It doesn’t matter if the computer is locked or if the user is logged out; the computer just has to be on. Microsoft rated this bulletin as merely ‘important’ as opposed to ‘critical’ because the attack requires the attacker to have physical access to the computer….However, other experts were alarmed. ‘Just imagine what a properly motivated janitorial staff could do with this vulnerability in just one evening,’ said Andrew Storms, director of security operations at nCircle. Public kiosks and co-location centers that don’t have locked cabinets are all at risk. ‘The potential for harm with this vulnerability can’t be overstated,’ Storms said.”
CRN’s Robert Westervelt added, “Microsoft repaired 9 vulnerabilities in Internet Explorer. One of the coding errors is a publicly disclosed zero-day flaw in Internet Explorer 8, the company said. The flaws can be used in drive-by attacks if an attacker lures victim’s to a malicious website, Microsoft said. The flaws enable cybercriminals to bypass security restrictions built into the browser. An attacker can exploit the flaws to gain the same user rights as the victim, Microsoft said. The Internet Explorer vulnerabilities affect all currently supported versions of IE, including the company’s latest version, IE 10.”
Also, according to ZDNet’s Mary Jo Foley, “As part of the myriad fixes and updates that Microsoft released on March 13, this month’s Patch Tuesday, is the Slow Boot Slow Login (SBSL) Hotfix Rollup for Windows 7 and Server 2008 R2. This is a rollup of 90 hotfixes that were released after SP1 for Windows 7 and Windows Server 2008 R2. These fixes improve overall performance and system reliability of both operating systems. Included are improvements to the Distributed File System Namespaces (DFSN) client, Folder Redirection, Offline Files and Folders, Windows Management Instrumentation (WMI), SMB client and Group Policy, as detailed on the Ask Premier Field Engineering Platforms blog.”