February's Patch Tuesday covers three critical bulletins and nine rated important. The patches affect all versions of Windows from XP up, Internet Explorer, Office, Visual Studio, and IIS. Included in Microsoft's Patch Tuesday is a fix for IE that will mean a massive reboot of PCs and the risk of a repeat of 2007's reboot fiasco.
Microsoft announced 12 bulletins for February's Patch Tuesday. Three of the bulletins are critical and include updates to address recently disclosed flaws in Internet Explorer and Windows.
Beyond the three critical bulletins, nine are rated important, addressing issues in Microsoft Windows, Internet Explorer, Microsoft Office, Visual Studio, and IIS.
February's Patch Tuesday release comes after only two security bulletins addressing three vulnerabilities were issued in January. But January's light Patch Tuesday skipped some known vulnerabilities, including the recursive style-sheet load bug in IE.
Info for Techies
"These vulnerabilities have seen limited exploits in the wild, so applying the update is highly recommended," said Wolfgang Kandek, CTO at Qualys. "In addition, the lower-rated flaw in the FTP service is addressed with an update to the IIS server."
The remaining updates address flaws in Windows, Office and the development platform Visual Studio. Kandek said all versions of Windows, starting with Windows XP SP3 up to the latest versions of Windows 7 and Windows Server 2008 R2, are affected. The Office bulletin, however is limited to a relatively small footprint: The Visio versions 2002, 2003 and 2007.
"The recent MHTML issue in Windows and Internet Explorer will not be addressed in this update," Kandek said. "The work-around suggested by Microsoft in Advisory 2501696 continues to be the recommended way of mitigating this attack vector."
The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. Microsoft said it's possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a web request run in the context of Internet Explorer.
Microsoft Shows Some Love
Technical details aside, Paul Henry, forensic and security analyst at Lumension, said it looks like IT admins might be finally getting a patch for Internet Explorer this month. That means 900 million people will be sharing the love for Microsoft this Patch Tuesday.
"Last month, we were waiting for the IE patch that never came, and this month we get to celebrate the national day of love by all of us simultaneously rebooting our PCs," Henry said. "Not only do we expect to see a lot of noise around the IE patch, this Patch Tuesday we will see another massive round of patches. In the 12 bulletins released today, six are remote-code executable."
Will history repeat itself with this massive reboot?
Experience tells Henry that reboots of this magnitude have been known to upset services and applications, so it's possible IT admins will see similar problems to what was encountered in 2007 when a large Microsoft patch that required a reboot crippled applications -- Skype in particular.
"Although Microsoft appears to be doing a bit of spring cleaning this Patch Tuesday with a lot of regular 'run of the mill' stuff, it can't be emphasized enough that this will be a massive simultaneous reboot and historically, we've seen services greatly impacted when such a huge number of machines require reboots," Henry said.