Microsoft Releases Critical Security Updates for IE and Windows

A series of security updates release by Microsoft on March 11th included fixes for a critical security flaw in Internet Explorer 9 and 10 and the next to last updates for Windows XP.

The Internet Explorer “zero day” exploit was reported last January when security firm FireEye first identified the previously unknown “Zero Day Exploit” compromising the web site for the Veterans for Foreign Wars, vfw.org. According to FireEye, the attackers compromised the web page and added an iFrame, an inline frame, which loads a page containing JavaScript and a Flash animation infected with malware. Page users were then redirected to a remote site where a complete payload of malware was downloaded and executed on their computers.

An interesting aspect of this attack is that a Windows anti-exploit feature, Address Space Random Layout (ASRL), was overcome using Adobe’s Flash Action Script which loaded the infected animation into memory.

This is also the next-to-last security update for Windows XP and Office 2003, although nothing related to office was included. The updates include fixes for four vulnerabilities in Windows XP. Refer to the following Microsoft update bulletins for details:

MS14-012: Cumulative Security Update for Internet Explorer (2925418)
MS14-013: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)
MS14-014: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2930275)
MS14-015: Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418)
MS14-016: Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677)