Microsoft issues four critical updates for Patch Tuesday

SOFTWARE BUG FACTORY Microsoft has issued seven security bulletins across its software line in its Patch Tuesday release for March.

The release comprises of four updates tagged with Microsoft's highest security rating of Critical, and three rated Important. The patches fix 20 vulnerabilities overall, including resolutions for flaws in Internet Explorer (IE), Silverlight, and Visio Viewer.

"This security update resolves eight privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer," Microsoft said on its security bulletin report webpage on Tuesday.

The Redmond firm warned that the most severe vulnerability the release addresses could allow remote code execution if a user views a "specially crafted webpage" using IE6 through IE10.

"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user," Microsoft added.

Security analysts advise that the most vital of these patches is MS13-021, a update for Internet Explorer that addresses nine distinct vulnerabilities, including CVE-2013-1288, an exploit that had gone unnoticed in the wild for one month.

"You are going to want to patch this as quickly as possible," said security firm Qualys' CTO, Wolfgang Kandek. "The attack vector is through a web page that anybody with access to [penetration testing softare] Metasploit can set up quite easily."

Kandek's second ranked vulnerability is MS13-027, rated as Important but not Critical by Microsoft due to physical machine access being required to exploit it.

MS13-027 addresses a flaw in the USB driver on Windows that allows an attacker to achieve code execution by simply inserting a USB drive into the target machine.

"This method has in the past been described as the 'evil maid' attack," Kandek explained.

"The attack vector is broad, encompassing anybody who has access to your unattended computer, be it the janitor at your workplace, the staff at the hotel where you are staying, or anywhere somebody with physical access can insert a USB drive into your computer."

March's Patch Tuesday release might incluce four Critical updates, but that's nothing compared to last month's, when Microsoft released 12 bulletins addressing 57 vulnerabilities across the firm's software for February Patch Tuesday.

Five of those 12 bulletins last month were tagged with a security rating of Critical, covering a number of products such as Microsoft Windows, Microsoft Office, IE, Microsoft Exchange Server and the Microsoft .NET Framework. µ