Microsoft Security Bulletin MS12-008 - Critical

The following were installed 16 Feb. All were rated critical or important. General security updates for

• Silverlight,
• Malicious Software Removal Tool updates,
• Cumulative updates for IE 8

Along with these specific updates:

Microsoft Security Bulletin MS12-008 - Critical

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)

Published: Tuesday, February 14, 2012

Version: 1.0

General Information

Executive Summary

This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a website containing specially crafted content or if a specially crafted application is run locally. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that the Windows kernel-mode driver handles user mode calls to GDI and handles keyboard layout errors. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Microsoft Security Bulletin MS12-006 - Important

Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

Published: Tuesday, January 10, 2012 | Updated: Wednesday, January 18, 2012

Version: 1.1

General Information

Executive Summary

This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) component sends and receives encrypted network packets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2588513.

Microsoft Security Bulletin MS12-016 - Critical

Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026)

Published: Tuesday, February 14, 2012 | Updated: Wednesday, February 15, 2012

Version: 1.2

General Information

Executive Summary

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted web page using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows; and for Microsoft Silverlight 4. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by correcting the manner in which Microsoft .NET Framework and Microsoft Silverlight use unmanaged objects. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Microsoft Security Bulletin MS12-009 - Important

Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640)

Published: Tuesday, February 14, 2012

Version: 1.0

General Information

Executive Summary

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.

This security update is rated Important for all supported editions of Windows XP (except x86-based), Windows Server 2003, Windows Vista (except x86-based), Windows Server 2008 (except x86-based), Windows 7 (except x86-based), and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by correcting the way that the AFD validates input before passing the input from user-mode to the Windows kernel. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Microsoft Security Bulletin MS12-006 - Important

Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

Published: Tuesday, January 10, 2012 | Updated: Wednesday, January 18, 2012

Version: 1.1

General Information

Executive Summary

This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) component sends and receives encrypted network packets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2588513.