February patches from Microsoft and Adobe
On its February Patch Tuesday, Microsoft has released 12 bulletins to close a total of 57 holes. Five bulletins have been rated critical by the company. Adobe has also had its monthly patch day, releasing patches to fix vulnerabilities in Flash, AIR and Shockwave.
One of the components responsible for the high number of holes in Microsoft products is Internet Explorer: one critical bulletin is a combined update that fixes 13 vulnerabilities in all currently supported versions of IE, among them numerous use-after-free holes that gave access to freshly deallocated memory areas. At worst, these vulnerabilities can cause a system to become infected with malicious code when a specially crafted web page is visited. Another bulletin fixes a critical hole in Internet Explorer's code for processing VML files. Vector Markup Language (VML) is a language for formatting vector graphics.
Windows has also been patched: a critical bulletin fixes a hole in the Quartz.dll DirectShow library that is included in Windows up to Vista (and in all server editions up to 2008). The hole can be exploited to infect systems with malicious code when a specially crafted media file is opened. Such files can, for example, lurk in Office documents such as PowerPoint presentations. Microsoft has also closed a critical hole in the OLE (Object Linking and Embedding) automation of XP that allowed attackers to execute code at the user's privilege level. The fifth critical bulletin fixes two further holes in Exchange Server 2003 and 2007 that were caused by Oracle's Outside In file converter.
The remaining "important" bulletins also have an impact: most of them fix holes in Windows and affect all versions. One bulletin alone fixes 30 confidentially reported race conditions that allowed attackers who were already signed into a system using a valid Windows account to escalate their privileges. Other holes in Windows could be exploited to paralyse a computer or trigger a reboot (denial of service); for instance, attackers were able to achieve this using specially crafted TCP packets. Microsoft has also patched .NET Framework and FAST Search Server 2010 for SharePoint SP1.
Adobe's February Patch Tuesday has provided new Flash versions for all supported operating systems: Windows, Mac OS X, Linux and Android. The updates fix numerous critical vulnerabilities that can, for example, be exploited to inject malicious code; among them buffer overflows and use-after-free bugs. The multitude of new version numbers can be found in Adobe's advisory. Google's Chrome browser automatically updates its Flash plugin, and Windows 8 handles any Flash updates for Internet Explorer 10. The vulnerabilities were also closed in AIR and in the AIR SDK. In addition, Adobe has closed two critical holes in Shockwave; the version number of the update is 188.8.131.52.