Two known flaws highlight Microsoft patch batch

Share this article:

Microsoft on Tuesday released 12 patches to correct 22 vulnerabilities, including two zero-day bugs, as part of its February security update.

Most experts designated the priority patch to be bulletin MS11-003, which fills four holes, three rated "critical" and one "important," in Internet Explorer. One of the vulnerabilities fixed is publicly known, affecting all supported versions of the browser. Exploit code was posted shortly after Microsoft revealed the flaw in December.

"Even though the attacks have been limited, this vulnerability needs to be patched immediately as future attacks are likely," said Jason Miller, data team manager at Shavlik Technologies, which makes vulnerability management products.

Another major fix is MS11-006, which resolves another publicly known vulnerability, this one in the Windows Shell graphics processor and impacting Windows XP, Vista, Server 2003, and Server 2008. So far, Microsoft has not seen any active attacks.

"The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image," according to the advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Finally, Microsoft recommends administrators prioritize MS11-007, which addresses a single vulnerability in the Windows OpenType Compact Font Format (CFF) driver.

Aside from the remaining nine patches, which drew "important" ratings, Microsoft also announced plans to push out an update to AutoRun, described in an advisory originally released in February 2009, as part of Windows Update. Malware that propagates via the AutoRun capability has become more common in recent months.

"Windows 7 already disables AutoRun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction," Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote in a Tuesday blog post. "With the change to the advisory, earlier versions of Windows that receive their updates automatically via Windows Update 'AutoUpdate' will now gain that security-conscious functionality as well."

Microsoft failed to patch any of the five vulnerabilities revealed on Monday by TippingPoint's Zero Day Initiative, which promised roughly six months ago to disclose as soon as Feb. 4 any unfixed bugs that had been reported to the bounty service.

Microsoft reportedly was planning to patch the flaws in Tuesday's update but pulled them for quality assurance reasons.

Also on Tuesday, Adobe patched 68 flaws across its Reader and Acrobat, ColdFusion, Shockwave Player and Flash Player product lines.

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.