Microsoft Patch Tuesday Swats 22 Bugs, Misses MHTML Flaw

Microsoft released a dozen security bulletins patching 22 bugs and vulnerabilities in its monthly Patch Tuesday security update.

Among the 12 security bulletins issued by Microsoft on Patch Tuesday, the software giant classified three as "critical" and said they affect different versions of Microsoft's Windows operating system and all versions Microsoft Internet Explorer, and they could be exploited via zero-day attacks.

Microsoft also issued nine bulletins it considered "important," eight of which targeted various Windows versions and one to patch Microsoft Visio.

Microsoft released an advanced security bulletin last week showcasing the pending patches. This month's Patch Tuesday is much heftier than January's, which saw Microsoft squash three bugs, one of which was critical, but is much smaller than December's, when Microsoft issued 17 patches to fix 40 security flaws.

According to Microsoft, the trio of critical bulletins offer fixes for bugs that affect the Windows Graphics Rendering Engine that Microsoft cautioned users about last month; a vulnerability in Internet Explorer that exists due to the creation of an initialized memory during a cascading style sheet (CSS) function that Microsoft first issued an advisory for in December and could give attackers the ability to control users' computers; and a bug that involves the OpenType Compact Font Format (CFF) Driver that impacts all supported versions of Windows.

"As always, we recommend that customers deploy all security updates as soon as possible," Angela Gunn, a representative for Microsoft's Trustworthy Computing program, wrote in a blog post highlighting the February Patch Tuesday security updates.

Joshua Talbot, security intelligence manager, Symantec Security Response, said Microsoft's IE CSS fix tightens up a hole that's been actively used in attacks.

"Among the six previously public vulnerabilities fixed, the Internet Explorer Cascading Style Sheet issue is the only one Symantec is seeing actively being used in attacks," Talbot wrote in an e-mail to CRN. "The attacks aren’t extremely widespread, but we did recently see a spike in activity. IT managers should patch this right away, especially those that have not implemented the temporary work-around released last month."

Meanwhile, Paul Henry, security and forensic analyst for Lumension, said Microsoft's patch Tuesday makes a better gift for Valentine's Day than flowers and chocolates.

"We finally got our patch for Internet Explorer today in the midst of Microsoft's 12 bulletins; three of which were critical and nine important," he said in an e-mail to CRN. "Nine-hundred million people are now sharing the love for Microsoft after last month, when we waited for the IE patch that never came. This month, we get to celebrate the national day of love by simultaneously rebooting our PCs."

Next: Microsoft Misses MHTML Flaw On Patch Tuesday

But Microsoft Patch Tuesday was not all hugs and kisses this February, Henry said, as Microsoft missed a patch for the MHTML issue impacting Internet Explorer that Microsoft warned about last month. The MHTML flaw affects all versions of Windows and a victim can be infected by clicking on a malicious link that leads to an HTML document that injects malicious JavaScript into the victim's browser allowing the attacker to spoof content, take information or act as the Web user.

"As noted last week, this is a very disruptive Patch Tuesday with several updates impacting nearly the full operating system product line from Microsoft and requiring a reboot," Henry said. "While a pair of zero-day security issues have now been patched, we still have not received a patch for the MHTML issues that impact all versions of Internet Explorer, meaning we can look forward to an equally disruptive Patch Tuesday in March."

Jim Walter, McAfee Threat Intelligence Service manager for McAfee Labs, said while the MHTML vulnerability isn't the highest priority among the potential zero-day patches, it's still necessary to plug a serious hole.

"The scope and impact of the MHTML vulnerability is relatively limited compared to other recent zero-day code execution vulnerabilities," said Walter. "Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts, as well as the disclosure of sensitive information."

Microsoft also this month updated a previous security advisory regarding Windows Autorun, which changes how earlier versions of Windows handle security when reading "non-shiny" storage devices like USB thumb drives. Microsoft said Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction. With the change to the advisory, earlier versions of Windows that receive their updates automatically via Windows Update "AutoUpdate" will now gain that functionality.

"We believe this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker," wrote Gunn in the blog post.

Talbot said Microsoft's Windows Autorun update is a step toward tighter security.

"This update disables Autorun functionality for all media except CDs and DVDs," Talbot said. "As portable media devices such as USB memory drives, music players and external hard drives have seen a sharp increase in popularity over the last several years, we have also seen a resurgence in sneakernet attacks, where malware is manually propagated by users carrying rewritable media from network to network. The effect of such attack and is that a targeted computer is immediately infected if Autorun is enabled on the machine, which it is by default. This update will dramatically reduce the impact of these attacks."