A new batch of security updates released by Microsoft on Tuesday address a total of 23 vulnerabilities in Internet Explorer, Windows, and Microsoft Office, including one that is actively exploited by attackers. The handling of digital certificates in Windows was also improved.
Only the security bulletin for Internet Explorer, identified as MS13-047, is rated critical. This bulletin addresses 19 privately reported vulnerabilities that affect all Internet Explorer versions, from IE 6 to 10, and could allow remote attackers to execute code on computers with the privileges of the active user.
[ InfoWorld's expert contributors show you how to secure your Web browsers in a free PDF guide. Download it today! | Learn how to protect your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
In order to exploit one of these vulnerabilities attackers need to set up a maliciously crafted Web page and trick users into visiting it. However, on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, Internet Explorer runs in a restricted mode called Enhanced Security Configuration that mitigates the vulnerability.
These Internet Explorer vulnerabilities might be a target for attackers who could try to reverse engineer the patches and build reliable exploits, said Wolfgang Kandek, the chief technology officer at security vendor Qualys.
According to a risk assessment table for the vulnerabilities that was published Tuesday on the Microsoft Research and Defense blog, Microsoft believes that its likely to see reliable exploits for the Internet Explorer vulnerabilities developed within next 30 days.
One of the vulnerabilities that Kandek is most concerned about affects Microsoft Office 2003 and Microsoft Office for Mac 2011 -- the most recent version of Office available for Mac OS X. This remote code execution flaw was addressed in the MS13-051 security bulletin, but is already being actively exploited in targeted attacks. Despite this, Microsoft only rated the security bulletin as important and not critical.
The vulnerability stems from an error in how Microsoft Office components process PNG files and can be exploited by tricking users to open specially crafted files or to preview specially crafted email messages with an affected version of Microsoft Office.
"The attacks we observed were extremely targeted in nature and were designed to avoid being investigated by security researchers," said Neil Sikka, a security engineer with the Microsoft Security Response Center, in a blog post Tuesday. "The malicious samples observed are Office documents (Office 2003 binary format) which do not include the malicious PNG file embedded directly in the document. Rather, the documents reference a malicious PNG file loaded from Internet and hosted on a remote server."