On February 14, 2012, Microsoft published two security bulletins, which you can read here and here, about vulnerabilities in several of its software products such as Windows XP Service Pack 3, Windows Vista Service Pack 2 and Windows 7 for x64-based systems and Windows 7 for x64-based systems Service Pack 1, all of which received moderate severity ratings.
Those that received a critical rating – of which there are more than 20 – are, of course, the most vulnerable to “remote code execution.” As Microsoft explains it, “a remote code execution vulnerability exists in the way that the msvcrt DLL calculates the size of a buffer in memory, allowing data to be copied into memory that has not been properly allocated. This vulnerability could allow remote code execution if a user opens a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. He could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Naturally, if an attacker gains access through a restricted account, she will not be able to do as much damage as one who gains access to a computer through an account with full administrative rights.
These vulnerability issues are especially relevant to people who use Internet Explorer as their default browser. The severity rating is critical for Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 users on Windows clients. For Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 users on Windows servers, the severity rating is moderate.
The good news is that hackers can’t force users to go to malicious websites. Instead, users have to be persuaded to visit malicious websites or open tainted email messages. Sometimes, the email messages themselves are clean but contain links, which lead to malicious websites, that users are invited to click.
People can access updates through the Microsoft Update and Windows Update sites or the Microsoft Download Center. According to Microsoft, those who have set their computers to seek and install updates automatically are already protected.
Microsoft acted quickly to protect its customers from harm once it detected vulnerabilities in its programs. Anyone who uses Internet Explorer 7, 8 or 9 and doesn’t have his computer set up to install updates automatically might want to act quickly.
Need help ensuring your network is as secure as possible? Give our team of trusted IT security specialists a call immediately.