Microsoft is expected to show some love for Windows administrators on Valentine's Day, with nine patches fixing 21 vulnerabilities in February's Patch Tuesday release.
Microsoft will fix 21
vulnerabilities in Internet Explorer, several versions of the Windows operating
system, Microsoft Office, Sharepoint and Silverlight in its February Patch
Microsoft will release nine
bulletins, four of which are rated "critical," according to the
security bulletin advance notification released Feb. 9. The critical updates
will fix issues in Internet Explorer, Windows and Silverlight. The remaining
five are rated as "important" and affect Microsoft Visio Viewer 2010
in the Office productivity suite and Sharepoint, according to the pre-notification
February's Patch Tuesday
release is expected Feb. 14.
"Microsoft is planning
to deliver a big 'Valentine' next Tuesday," said Andrew Storms, director
of security operations for nCircle.
While all modern versions of
the Windows operating system are affected by the Patch Tuesday updates, Server
2008 R2 is affected by the greatest number of bulletins. Each operating system
is affected by five of the eight bulletins fixing operating system
The fact that Server 2008 R2
was the most affected was "surprising" because server operating
systems generally have fewer bugs compared with desktops, said Storms. Server
2008 also has many of the newer mitigation technologies and default settings
designed to protect the operating system even when bugs are found, said Storms.
"That's kind of weird
because newer OS versions are generally more secure," said Storms.
The bulletin fixing the
remote-code-execution flaw in Internet Explorer should be the highest priority
for administrators, said Wolfgang Kandek, CTO of Qualys. Microsoft has recently
released several patches for its Web browser, media player and related
technologies, such as Silverlight. One of the critical in February's update is
for Silverlight 4.
Researchers and attackers
are beginning to realize that browser exploits have the most potential to
compromise users and cause damage. Microsoft fixed critical remote-code-execution
vulnerabilities in Windows Media in January's Patch Tuesday update. Microsoft
warned at the time that an attacker could use a specially crafted media file to
gain the same user rights as a local user in the advisory released Jan. 10.
Trend Micro researchers detected a malicious HTML page with a specially crafted
MIDI file exploiting the flaw a mere 15 days after the patch was released.
Browsers are beginning to
take on the role of operating systems for users as they shift their work from
the computers to online services, said Marcus Carey, a security researcher at
Rapid7. As browser-based exploits become a more common attack vector, exploit
developers will increasingly focus on anything that can compromise the browser,
bulletin for Microsoft Visio Viewer most likely will address a file-based
attack, Kandek said.
initiatives seem to be paying off as the company has fewer patches this month
compared with last year, said Paul Henry, a security and forensic analyst at
Lumension. There were 12 bulletins fixing 22 vulnerabilities last February,
compared with this year's nine bulletins fixing 21 flaws.
"Clearly, the company's
renewed focus is paying off. Now if folks would just follow through and
patch!" Henry wrote.