14 DAY TRIAL // The March 2012 security update is now available for download from Microsoft’s servers, bringing along fixes for no less than 7 breaches found in them.
Just as announced last week, Microsoft issued a number of six bulletins to address the various issues that Windows and other products were affected by.
The first of these bulletins patches two vulnerabilities rated critical that affected the Remote Desktop Protocol in all Windows releases, starting with Windows XP Service Pack 3 and Windows Server 2003.
“The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system,” Microsoft explains.
Two other bulletins address moderate vulnerabilities found in Windows, one of which could allow for Denial of Service, while the other could allow Elevation of Privilege, both of them rated Important.
The first of these vulnerabilities “could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server,” Microsoft explains.
As for the second of them, it could allow for elevation of privilege in the event that an attacker logged into the computer and managed to run a specially crafted application.
“An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability,” the Redmond-based software giant explains.
The fourth bulletin included in the March 2012 security update, namely MS12-021, patches a Visual Studio breach that could allow Elevation of Privilege. The vulnerability is rated Important.
“The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio,” the company notes. The attacker needs valid logon credentials and has to log locally to exploit it.
Microsoft Expression Design was also affected by a recently discovered vulnerability. Rated Important, it could allow for Remote Code Execution if a user opens a legitimate file located in a network directory where a specially crafted dynamic link library (DLL) file is also found.
“Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained,” Microsoft explains.
“For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.”
The sixth bulletin in Microsoft’s March security update resolves a publicly disclosed vulnerability that could result in denial of service and which is rated Moderate.
Found in Windows DirectWrite, the breach could be exploited in an Instant Messager-based attack scenario, in which the attacker sends a specially crafted sequence of Unicode characters to the messaging client. The target application could start responding.
You can learn more info on these vulnerabilities via Microsoft’s Security Bulletin Summary for March 2012. The updates will be delivered immediately to all Windows Machines that have the automatic update feature active. Users who turned it off will have to perform manual updates.
