Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em

On Tuesday, I sent alerts about Microsoft Patch Day and their more severe Windows bulletins. If you haven’t jumped on those Windows updates yet, I recommend you do so — especially the RDP one. However, Microsoft also released two other less severe bulletins this week, fixing security flaws in Visual Studio and Expression Studio as well. I suspect fewer people use these specialized products. Nonetheless, if you are someone who does, you should definitely apply these patches, too.

I quickly summarize the two remaining March Microsoft bulletins below:

  • MS12-021: Visual Studio Elevation of Privilege Vulnerability

Visual Studio is Microsoft’s popular software development environment. If you have any Windows developers in your organization, you likely have it. Visual Studio suffers from a security issue involving the way it loads add-ins. If an attacker can physically gain access to a computer with Visual Studio, and can place a specially crafted add-in file into a specific directory, she could gain full administrator access to that computer. However, if attackers already have log-in credentials, and access to your computer’s file system, you have bigger fish to fry. This issue primarily poses an insider threat.

 Microsoft rating: Important

  • MS12-022: Expression Design Code Execution Vulnerability

Expression Design is a vector-based graphic illustration program. It suffers from a Dynamic Link Library (DLL) loading class of vulnerability that we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by .xpr and .DESIGN files for Expression Studio.

Microsoft rating: Important

Though I don’t feel these flaws are as severe as the Windows ones I described earlier this week, they do still pose some risk to users who have these applications. I suggest you patch them at your earliest convenience. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

5 Responses to “Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em”

  1. Search ‘public domain articles’ and you will find many sites to choose from.
    Stop reading now, and take the action you
    need to take your business to the next level. Try sending
    out some promotional freebies in your customers’ packages.

  2. Once you have developed your skills and you feel that you can go on,
    you are now ready to embark the career of being an Internet marketing consultant.
    Stop reading now, and take the action you need to take your business to the next
    level. Marketing and advertising and advertising and marketing high
    expense goods and services usually requires a distinct technique than promoting and marketing commodities, and organization to small business
    advertising and marketing is a great deal much more specialized.

Trackbacks/Pingbacks

  1. Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em | Mark A. Ashford Consulting Inc. - March 15, 2012

    [...] at Manage Subscriptions. > > Trouble clicking? Copy and paste this URL into your browser: > http://watchguardsecuritycenter.com/2012/03/15/microsoft-visual-and-expression-studio-patch-em-if-yo… > Thanks for flying with WordPress.com > > Share this:ShareFacebookStumbleUponReddit This entry [...]

  2. Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em | microreksa - March 15, 2012

    [...] Microsoft Visual and Expression Studio; Patch ‘Em If You Have ‘Em [...]

  3. WatchGuard Security Week in Review: Episode 9 | WatchGuard Security Center - March 16, 2012

    [...] Visual and Expression Studio – WatchGuard Security Center [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,679 other followers

%d bloggers like this: