Microsoft releases five critical security updates

Windows, Internet Explorer and SQL server all affected

Microsoft has fixed 26 security holes in its software products – including five deemed "critical" – it said in its monthly security bulletin.

The critical vulnerabilities affected Microsoft's Windows operating system, Internet Explorer, Exchange and SQL Server, while Microsoft Office was affected under other vulnerabilities labelled as "important".

The first critical update, MS12-052, is for Internet Explorer (IE) and resolves vulnerabilities that could allow remote code execution if a user viewed a specially crafted webpage. A successful attacker could gain the same user rights as the current user if successful in exploiting the security lapse.

The second update deemed critical is MS12-060. This is for Windows Common Controls, and applies to Office, SQL Server and other Microsoft server and developer tools. Microsoft said the update protects against attacks similar to that resolved by MS12-052.

In a related blog post, Microsoft security official Yunsun Wee said the technology giant was aware of "limited, targeted attacks attempting to exploit this vulnerability".

MS12-053, the third critical update, resolves a vulnerability in the Remote Desktop Protocol that could allow remote code execution if an attacker sent a sequence of specially crafted RDP packets to an affected system.

Ziv Mador, director of security research at security firm Trustwave SpiderLabs, said that if a business' server is remote it may be harder to disable.

"If you can't install the patch, at least block port 3389 at the firewall, which should help against remote attacks – then you just need to worry about the internal ones," he advised.

The fourth critical update, MS12-054 resolves vulnerabilities in Windows Networking Components that could allow remote code execution.

"This security update addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the print spooler. The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE). All of these issues were reported to us through co-ordinated disclosure ,and we have no reports of these issues being exploited," Wee said.

Finally, MS12-058 fixes a security hole in Microsoft Exchange Server WebReady document viewing that could allow remote code execution.

"The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA)," Microsoft's bulletin said.

Mador explained that OWA uses the Oracle 'Outside In' Libraries, and this patch updates those libraries with a non-vulnerable version. He said Microsoft issued a patch for an Oracle product because these are custom libraries that Microsoft licenses from Oracle.

Important fixes were also found for vulnerabilities in Windows Kernal-Mode drivers, Jscript and VBScript engines, Microsoft Visio and Microsoft Office.