Topic: Microsoft plans 12 security patches for next "Patch Tuesday", 3 critical!

[Samker]

Microsoft plans to release 12 security patches at next week's "Patch Tuesday" event – three of them rated "critical," the company said Thursday. Those critical patches contain a total of six critical bug fixes, mostly for security vulnerabilities in Windows and Internet Explorer (IE).

The disclosure came as part of the advance patch notification process wherein Microsoft (NASDAQ: MSFT) warns security professionals how much work to expect by sending them a notice on the Thursday prior to the monthly patch drop.

Altogether, the 12 patches – each of which can contain multiple bug fixes – contain a total 22 fixes, according to a post on the Microsoft Security Response Center (MSRC) blog: http://blogs.technet.com/b/msrc/archive/2011/02/03/advance-notification-service-for-the-february-2011-security-bulletin-release.aspx

The rest of the fixes and patches are rated "important," the second most-severe rating after critical on Microsoft's four-tiered ranking scale. So while there are fewer critical patches than on some other months, there will still be plenty of work for security professionals.

Among the security vulnerabilities being patched on Tuesday is a fix for a critical graphics rendering flaw in Windows – a zero-day vulnerability that Microsoft warned customers was loose on the Web in early January.

That bug lets hackers plant a booby-trapped thumbnail image on a malicious website or contained in a Word or PowerPoint file sent as an attachment to an e-mail. Opening the image can result in complete compromise of users' PCs.

Another of the patches fixes a hole in Internet Explorer that was discovered around Christmas, when there were "limited" attacks on the Web. The patch fixes a flaw in the way that cascading style sheets (CSS) are handled in IE, according to a security advisory the company issued in late December: http://www.microsoft.com/technet/security/advisory/2488013.mspx

What won't be fixed on Tuesday, however, is a hole that surfaced last week in what's called the Windows MHTML protocol handler, a component of all versions of Windows.

The technology is used to handle different media types in e-mail. However, many security researchers say that the typical outcome of a successful attack would only be "information disclosure" rather than complete takeover of the user's PC.

"The recent MHTML issue in Windows/Internet Explorer will not be addressed in this update. The workaround suggested by Microsoft in Advisory 2501696: http://www.microsoft.com/technet/security/advisory/2501696.mspx continues to be the recommended way of mitigating this attack vector," Wolfgang Kandek, CTO at security firm Qualys, said in a blog post: http://laws.qualys.com/2011/02/patch-tuesday---preview-for-fe.html

(eS)