Microsoft issued 13 security bulletins for February’s Patch Tuesday, patching a total of 26 vulnerabilities in a massive update Feb. 9.
Five of the 13 bulletins are rated critical-MS10-006, MS10-007, MS10-008, MS10-009 and MS10-013. Qualys CTO Wolfgang Kandek put MS10-006 and MS10-013 at the top of his list of patches to be deployed. The first of the two deals with two vulnerabilities in Windows affecting the SMB protocol that could permit remote code execution. MS10-013 fixes a flaw in Microsoft DirectShow that could be exploited if a user opens a specially crafted AVI file.
Microsoft ranked those two-as well as MS10-007, MS10-008 and MS10-015-at the top of the list of patches to be deployed first. MS10-007 addresses a remote code execution vulnerability in the Windows Shell Handler that impacts Windows 2000, Windows XP and Windows Server 2003. MS10-008 addresses a remote code execution vulnerability in the Microsoft Data Analyzer ActiveX Control, while MS10-015 fixes two privilege escalation bugs in the Windows Kernel.
Although the Windows Kernel bulletin is rated important and not critical, it was pushed up in the company’s priority rankings because proof-of-concept exploit code is now available on the Internet, according to Microsoft.
MS10-009 fixes four critical vulnerabilities in Windows TCP/IP. The most serious of the vulnerabilities can allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. The remaining bulletins patch various holes in Windows, with the exception of fixes for Microsoft Office and Office PowerPoint.
“Microsoft’s February 2010 was slated to be the biggest release for Microsoft patches in the last two years-14 bulletins addressing 34 vulnerabilities,” Kandek said. “But the Google-CN Internet Explorer zero-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger Patch Tuesdays.”