Yesterday, Microsoft issued 12 security bulletins that address 22 vulnerabilities, five of which were rated critical.
Among the patches was a fix for the public vulnerability in Internet Explorer, which has been widely published since the start of 2011. Microsoft Trustworthy Computing spokesperson Angela Gunn said that this advisory and the zero-day disclosure on which it was predicted, caused discussion in the security community and some observers thought that Microsoft might be forced to release an out-of-band bulletin to protect customers.
“However, out-of-band releases are disruptive to customers and we try to avoid them where possible. Based on our capabilities to closely monitor the threat landscape, we were able to determine that attempts to attack this vulnerability were very low. With that information, we were able to extensively test a bulletin to be released as part of our regular bulletin cadence,” Gunn said.
Microsoft highlighted MS11-003 as the most important to apply, as it resolves three critical-level and moderate-level vulnerabilities affecting all versions of Internet Explorer.
Paul Henry, security and forensic analyst at Lumension, called yesterday ‘a very disruptive Patch Tuesday', as several updates impact nearly the full operating system product line from Microsoft and require a reboot.
He said: “While a pair of zero-day security issues have now been patched, we still have not received a patch for the MHTML issue that impacts all versions of Internet Explorer, meaning we can look forward to an equally disruptive Patch Tuesday in March.
“Now 900 million people are sharing the love for Microsoft after last month, when we waited for the IE patch that never came. This month, we get to celebrate the national day of love by simultaneously rebooting our PCs. The IE patch is making a lot of noise, addressing the current IE CSS recursive style sheet import issue.
“History is repeating itself with this massive reboot and as we know from experience, reboots of this magnitude have been known to upset services and applications, so it's possible we will see similar problems to what we encountered in 2007 when a large Microsoft patch that required a reboot crippled applications, Skype in particular.”
Andrew Storms, director of security operations at nCircle, said: “Microsoft first released guidance using EMET to mitigate this critical IE exploit. Then they released a Fix It tool to stop the bug execution by cleverly making use of Windows application compatibility routines. Today, we have the complete fix. This is a great example of a staged response that other vendors would do well to learn from.”
Joshua Talbot, security intelligence manager at Symantec Security Response, said: “Among the six previously public vulnerabilities fixed, the Internet Explorer Cascading Style Sheet issue is the only one Symantec is seeing actively being used in attacks. The attacks aren't extremely widespread, but we did recently see a spike in activity. IT managers should patch this right away, especially those that have not implemented the temporary workaround released last month.
“At least one of the other critical Internet Explorer vulnerabilities patched is also likely to be exploited. The uninitialised memory corruption vulnerability appears to be even easier to take advantage of than the Cascading Style Sheet flaw. So, if cyber criminals are able to reverse engineer the patch, we'll probably see exploits for that one, too.”
Other patches included MS11-006 that addresses one critical-level vulnerability affecting Windows XP, Vista, Server 2003 and Server 2008, but newer versions of the operating system are unaffected.
Jason Miller, data team manager at Shavlik Technologies, said: “This security bulletin addresses a vulnerability in the Windows Graphics Rendering Engine that could allow remote code execution if exploited. If an attacker can entice a user to view a malicious thumbnail image on a network share or WebDAV share, an attack that allows remote code execution can occur.”
The final critical patch is MS11-007 that addresses one vulnerability affecting all supported versions of Windows and involving the OpenType Compact Font Driver. This is rated critical for Windows Vista, Windows 7, Server 2008 and Server 2008 R2; while it is rated important for Windows XP and Server 2003.
Wolfgang Kandek, CTO at Qualys, said: “Since OpenType is not used in Internet Explorer, this important attack vector is closed off, forcing more complicated delivery schemes to be used, via zipped folders for example, similar to this attack on MS11-006. However, as third party browsers can possibly be used in the exploitation of this flaw, we recommend including this patch in the high priority queue.
In other patch news, Mozilla had planned to release updates for their Firefox browser and Thunderbird email client, but these releases have been delayed until next week. Also, Adobe is releasing security bulletins to address a vulnerability in Adobe Reader and Acrobat. This will mark the first security bulletin that affects Adobe's new Acrobat/Reader X (version 10) line.