On its March Patch Tuesday, Microsoft has released 7 bulletins to close 20 security holes. Four of the updates are rated critical; they affect Windows, Internet Explorer, Silverlight (including the Windows 8 version), Office, and the Microsoft Server software. Windows 8 and Windows RT are also affected by the holes.
Microsoft recommends that the updates for Internet Explorer (MS13-021), Silverlight (MS13-022), and the Windows core (MS13-027) be given highest priority. The Windows core vulnerability is interesting because, although a successful attack requires direct physical local access, it doesn’t require anyone to be logged into the system. This allows potential attackers to connect a specially crafted USB flash drive and execute code at system privilege level almost in passing. In an expansion to its guidelines, Microsoft will, in future, rate such “drive-by” attacks at a higher severity level than attacks which require gaining physical control of a system by, for example, removing a hard disk or by booting from a different medium.
The three “important” bulletins close further holes in Windows, Office, and Microsoft’s server software. Microsoft has also made available a Flash update for Internet Explorer 10, probably to catch up with Adobe’s update. The company has provided an overview of the March patches and a table with an exploitability index, which helps with assessing the risks.