Microsoft Patch Tuesday Swats 22 Bugs, Misses MHTML Flaw


Microsoft released a dozen security bulletins patching 22 bugs and vulnerabilities in its monthly Patch Tuesday security update.

Among the 12 security bulletins issued by Microsoft on Patch Tuesday, the software giant classified three as "critical" and said they affect different versions of Microsoft's Windows operating system and all versions Microsoft Internet Explorer, and they could be exploited via zero-day attacks.

Microsoft also issued nine bulletins it considered "important," eight of which targeted various Windows versions and one to patch Microsoft Visio.

Microsoft released an advanced security bulletin last week showcasing the pending patches. This month's Patch Tuesday is much heftier than January's, which saw Microsoft squash three bugs, one of which was critical, but is much smaller than December's, when Microsoft issued 17 patches to fix 40 security flaws.

According to Microsoft, the trio of critical bulletins offer fixes for bugs that affect the Windows Graphics Rendering Engine that Microsoft cautioned users about last month; a vulnerability in Internet Explorer that exists due to the creation of an initialized memory during a cascading style sheet (CSS) function that Microsoft first issued an advisory for in December and could give attackers the ability to control users' computers; and a bug that involves the OpenType Compact Font Format (CFF) Driver that impacts all supported versions of Windows.

"As always, we recommend that customers deploy all security updates as soon as possible," Angela Gunn, a representative for Microsoft's Trustworthy Computing program, wrote in a blog post highlighting the February Patch Tuesday security updates.

Joshua Talbot, security intelligence manager, Symantec Security Response, said Microsoft's IE CSS fix tightens up a hole that's been actively used in attacks.

"Among the six previously public vulnerabilities fixed, the Internet Explorer Cascading Style Sheet issue is the only one Symantec is seeing actively being used in attacks," Talbot wrote in an e-mail to CRN. "The attacks aren’t extremely widespread, but we did recently see a spike in activity. IT managers should patch this right away, especially those that have not implemented the temporary work-around released last month."

Meanwhile, Paul Henry, security and forensic analyst for Lumension, said Microsoft's patch Tuesday makes a better gift for Valentine's Day than flowers and chocolates.

"We finally got our patch for Internet Explorer today in the midst of Microsoft's 12 bulletins; three of which were critical and nine important," he said in an e-mail to CRN. "Nine-hundred million people are now sharing the love for Microsoft after last month, when we waited for the IE patch that never came. This month, we get to celebrate the national day of love by simultaneously rebooting our PCs."

 

Next: Microsoft Misses MHTML Flaw On Patch Tuesday