Patch Tuesday has been and gone and as predicted Microsoft where unable to fix the MHTML vulnerability discovered at the end of January. To be fair to Microsoft there really wasn’t enough time for testing and proper due process to fix it in time for February’s Patch Tuesday also Microsoft has issed a Fixit. However there may now be increased hacker activity to try and exploit this vulnerability and infect unsuspecting web users with malware.
So what did they fix? Microsoft issued 12 bulletins that addressed 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and Microsoft’ web server IIS.
Of these 12, three are considered Critical:
MS11-003. This is a Cumulative Security Update for Internet Explorer and addresses problems first described in Security Advisory 2488013. In short, this patch fixes four vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page.
The second critical patch is MS11-006 and only applies to XP and Vista (and Server 2003 and 2008). Windows 7 isn’t affected. The problem fixed here is within the Windows Shell graphics processor. The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image. It was initially described in Security Advisory 2490606 which MS released on January 4th. Since that time, Microsoft report that they have not seen any attacks using this issue.
The last critical patch, MS11-007 addresses vulnerabilities affecting all supported versions of Windows and involving the OpenType Compact Font Driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font.
If you have automatic updating enabled on your Windows machine you will not need to take any action as these updates will be downloaded and installed automatically. If you don’t have automatic updating enabled you will need to check for the updates and install them manually.
In the video below, Jerry Bryant (of Microsoft) discusses this month’s bulletins in further detail: