Microsoft Patches 21 Flaws

The Febuary Patch Tuesday update includes nine security bulletins that fix 21 security vulnerabilities. At the top of the February Patch Tuesday update is a cumulative security update for Internet Explorer (IE) web browser that fixes four flaws, two of which are rated as being critical. The IE flaws affect multiple IE versions including IE 6, 7, 8, and 9.

“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer,” Microsoft warns in its advisory. “An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user.”

According to Microsoft, all of the IE flaws were properly reported to Microsoft and none of them are currently being exploited. That’s not the case with another of the critical patch bulletins — for which exploit code is likely already available, according to Microsoft.

Microsoft has identified vulnerabilities in Windows Kernel-Mode Drivers that could allow remote code execution. The kernel-mode flaws could be exploited if a user is directed to a malicious website by an attacker.

The other critical patch updates include a vulnerability in the C Run-Time library and vulnerabilities in Microsoft’s Silverlight and .NET media frameworks. According to Marcus Carey, security researcher at Rapid7, all of the critical bulletins will likely affect all organizations. The critical bulletins are all related to browsers and media players, and are the most likely to result in a compromise via end-user interaction.

“All the critical bulletins are primed for phishing attacks, which can result in a complete compromise of the user’s and organization’s data,” Carey told InternetNews.com.