(LiveHacking.Com) – Microsoft has released six security bulletins, four of which are rated Critical in severity, and two Important. The bulletins fix vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Server Software, Developer Tools, and Forefront United Access Gateway.
The first Critical severity bulletin (MS12-023) patches Internet Explorer to fix five vulnerabilities in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage designed to exploit the vulnerability. The hacker would then gain the same user rights as the current user.
Next Microsoft fixed a remote code execution vulnerability in Microsoft Windows (MS12-024). The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
Remote code execution vulnerabilities were also fixed in the .NET framework (MS12-025):
- If a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs) then an attacker could execute arbitrary code on the PC.
- Remote code execution could also occur on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a web hosting scenario.
- This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability.
- Finally, a compromised website or a website that accepts user-provided content or advertisements could host specially crafted content to exploit this vulnerability.
The fourth and finally Critical severity vulnerability fixed is in the Windows common controls (MS12-027). The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. The Windows common controls are installed on a PC with software like Microsoft Office, Microsoft SQL Server and Microsoft Visual FoxPro.