SOFTWARE BUG FACTORY Microsoft releases patches on the second Tuesday of every month, and this February Patch Tuesday saw it issue 12 bulletins addressing 57 vulnerabilities across the firm's software.
Five of the 12 bulletins were tagged with Microsoft's highest security rating of "critical", covering a number of products such as Microsoft Windows, Microsoft Office, Internet Explorer (IE), Microsoft Exchange Server and the Microsoft .NET Framework.
"For those who need to prioritize deployment, we recommend focusing on MS13-009, MS13-010 and MS13-020 first," said Microsoft Trustworthy Computing group manager for response and communications Dustin Childs in a blog post.
MS13-009 was referred to as the "core" IE update by Microsoft because it addresses a number of vulnerabilities in IE, resolving 13 issues found in the software. Microsoft said that the most severe vulnerabilities this patch addresses could allow remote code execution if a user views a specially crafted webpage using the web browser.
"An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner," Childs explained.
The second update recommended by Childs, MS13-010, addresses a vulnerability in an ActiveX Dynamic-Link Library (DLL).
California security firm Qualys CTO Wolfgang Kandek said this flaw is "quite urgent" to fix because the vulnerability is being exploited in the wild.
"The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics," Kandek said.
"VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible."
Childs' third recommended critical patch, MS13-020 resolves an issue in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability patched here could allow remote code execution if a user opened a "specially crafted file".
Childs added that none of the three patches were "privately reported" and Microsoft has "not detected any attacks or customer impact".
Microsoft's bulletin summary replaced the bulletin advance notification issued on 7 February. µ