Microsoft to patch seven vulnerabilities -- three critical
As is its custom, Microsoft didn't reveal much in the way of details in its advance notification, so precise information about the nature of the fixes, other than their severity and the products they impact, is unavailable.
For instance, Microsoft revealed "no details, aside from remote code execution," on the critical flaw that affects the Windows' Bluetooth capabilities, Eric Schultze, chief technology officer at Shavlik Technologies told SCMagazineUS.com. Bluetooth is a wireless technology used to connect PCs to keyboards, computer mice, headsets and cell phones.
"The flaw could possibly be a Bluetooth stack driver issue, which might allow for RCE (remote code execution) by exploiting the driver," Andre Protas, director of research and preview services at eEye Digital Security, told SCMagazineUS.com. "The attack vector isn't confirmed, but it might be interesting to see someone exploit Windows by physical proximity over Bluetooth."
The impact of this bug is somewhat mitigated because Bluetooth is not enabled by default, Schultze said.
The second critical patch affects Internet Explorer and appears to be a cumulative update, Protas said.
"Microsoft is quick to patch these types of Internet Explorer vulnerabilities," Schultze said. "The likelihood of being hacked is slim because we don't see these vulnerabilities being exploited in widespread attacks, and if they are exploited, it's a very small group of people who get hit."
The third critical flaw, which impacts the DirectX video functions, could be exploited when a visitor clicks on a malicious graphic or video image on a website, said Schultze.
"These can be pretty nasty depending on the difficulty in exploiting it," Protas said. "It also affects every Microsoft operating system, which is interesting."
The “important” flaw impacts the Windows Internet Name Service (WINS), Microsoft's implementation of the NetBIOS name service, Active Directory and the Pragmatic General Multicast (PGM) protocol, which is a multicast transport protocol. All three could cause a denial-of-service on the impacted Windows PC, according to Microsoft.
Although Microsoft has listed it as a moderate flaw, Protas said he is interested to see which ActiveX controls will be given kill-bit capabilities, which allow users to set flags that prevent execution of some ActiveX while running Internet Explorer.