Microsoft aims to stop drive-by downloads on Patch Tuesday

Windows, IE security flaws open users to social engineering attacks

Microsoft and third-party security experts warned that users could be subjected to drive-by downloads because of flaws in Windows and Internet Explorer that received fixes on Patch Tuesday this week.

Hackers are likely to use social engineering tricks to lure users to infected Web sites and media files, they warned. The vulnerabilities are among 10 security updates that patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office and SharePoint.

Microsoft TechEd event to shed light on cloud computing plans

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft and third-party security experts warned that users could be subjected to drive-by downloads because of flaws in Windows and Internet Explorer that received fixes on Patch Tuesday this week.

Hackers are likely to use social engineering tricks to lure users to infected Web sites and media files, they warned. The vulnerabilities are among 10 security updates that patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office and SharePoint.

Microsoft TechEd event to shed light on cloud computing plans

One bug in particular – a Windows kernel TrueType font parsing vulnerability – was rated as the most serious Patch Tuesday fix by Joshua Talbot, security intelligence manager for Symantec.

"Exploiting this - likely through a drive-by download attack - would give an attacker near system-level privileges. It's doubtful that attackers would compromise a legitimate site to exploit this vulnerability, so users should be extra cautious of social engineering tricks coaxing them to visit unfamiliar Web pages, which could contain a malicious font."

The TrueType vulnerability was contained in Security Bulletin MS10-032, one of the ten issued by Microsoft Tuesday.

However, Microsoft rated three other bulletins as being even more important than this one, with two of them involving potential drive-by downloads, which occur when users authorize a download without understanding the consequences, or that simply occur without the user's knowledge.

MS10-033, a critical bulletin, "is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file," Microsoft said.

With this vulnerability, hackers may use media files to lure users into downloading malicious code.

"This could result in a drive-by download where the user visits a specially crafted Web site, and in this case it would be like a media file that could start streaming or the user could open a specially crafted media file that got sent to them via e-mail or some method like that," Microsoft security official Jerry Bryant said in a video accompanying the announcement.

These bugs are on par with some of the most critical ones observed on Patch Tuesday, says Andrew Storms, director of security operations at the security vendor nCircle.

Rather than making businesses vulnerable on the server side, this month's most serious bugs mainly target end users, he said.
"What looks to be a normal movie file that you click on and watch could have embedded malware inside and take control of your system," Storms said.

Similarly, the new bulletin MS10-035 involves flaws in Internet Explorer which could also result in drive-by downloads. 

A third critical bulletin, MS10-034, involves ActiveX Kill Bits and affects Windows 2000, XP, Vista and Windows 7.
Kill Bits ensure that vulnerable ActiveX controls can no longer be exploited through Internet Explorer.