Microsoft drops IE, Windows fixes on Patch Tuesday

Share this article:

Microsoft on Tuesday sprung six patches to correct 19 vulnerabilities across its product line.

Most pressing, according to the software giant, are the two of the four "critical" patches, led by MS12-071, which addresses three previously unknown vulnerabilities in Internet Explorer 9. IE 10 is not affected. Similar to most browser vulnerabilities of this nature, users can be infected without taking any action and simply by visiting a compromised web page -- an attack tactic known as drive-by download.

The other critical fix of note is MS12-075, which involves three privately reported TrueType font file flaws in the Windows kernel.

"Microsoft has been dealing with font issues for a while," Paul Henry, security and forensic analyst at Lumension, a patch and vulnerability management company, said in prepared comments. "TrueType fonts can be embedded all over the place, and Windows kernel mode driver renders the font. If these fonts are embedded in a browser or a Word document, for example, it's rendered in the kernel mode driver and winds up becoming a kernel mode exploit."

In the past, this class of vulnerability has been used to spread sophisticated malware, such as the espionage trojan Duqu.

Tuesday's update from Microsoft also included two other critical patches -- one affecting two remote-code vulnerabilities in Windows Briefcase versions XP through 7, and the other addressing five bugs in the .NET Framework. 

Of the remaining bulletins, one is rated "important" and involves an Excel flaw, while the other is deemed "moderate" and corrects a single vulnerability in Internet Information Systems (IIS), which "could allow information disclosure if an attacker sends specially crafted FTP commands to the server," according to Microsoft.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.