News

Microsoft patches critical flaws in IE, Windows Shell Graphics

Ryan Cloutier, Contributor

Microsoft issued 12 security bulletins Tuesday, patching 22 flaws across its product line, including two critical vulnerabilities for which exploit code was publically available, and a third, which was reported privately.

The number of vulnerabilities is down from December, the software giant's last "big month," which addressed 40 bugs. However, two flaws addressed in the

Requires Free Membership to View

February Patch Tuesday updates require immediate attention according to Jason Miller, data team manager at St. Paul, Minn.-based vulnerability management vendor Shavlik Technologies LLC.

Miller said that while there may be a few more publicly known exploits out there, IT administrators got everything that was expected from Microsoft this month.

Microsoft Patch Tuesday:
January - Microsoft repairs critical Windows flaws, issues temporary IE fix: Microsoft issued two security bulletins, repairing two critical flaws affecting all versions of Windows. In addition, it issued a temporary fix for an IE zero-day vulnerability.

Of the three vulnerabilities labeled critical, the two most important, according to Miller, were MS11-003, repairing two publicly disclosed vulnerabilities in Internet Explorer, and MS11-006, a Windows Shell graphics processor flaw.

The Internet Explorer update, which Miller said should be patched immediately, works by opening a specially crafted library file when the user opens an HTML file; it can also activate when the user browses to a webpage in Internet Explorer. The file allows remote code execution and attackers can use this exploit to grant themselves equal user access rights.

"Pretty much any time you get a critical [vulnerability] with Internet Explorer, you're going to want to patch it immediately because this where the bad guys are going to attack," Miller said. "They want to attack people using browsers; it's a better pool for them to find somebody they can get."

The update affects all supported versions of Internet Explorer.

The graphics processor flaw has to do with the way Windows renders thumbnails. This bug in the Windows Shell graphics processor could allow an attacker to gain the same access rights as a logged on user by making the user view a specially crafted thumbnail, according to Microsoft.

"With both of those bulletins the exploit code has been released publicly so there have been limited attacks," Miller said.

The update affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

A third privately reported critical update joins the litany of patches Microsoft unleashed against the Windows OpenType Font Driver in December. While the December corrections focused on preventing a malware-laden font from hijacking your system through Internet Explorer, February's flavor is concerned with the OpenType Compact Font Format driver. This vulnerability requires a bit more social engineering and work on the attacker's part, as they would have to convince the user to view a special webpage with their font exploit.

The update is rated critical for users of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It is rated Important for Windows XP and Windows Server 2003.

MHTML vulnerability remains
"While a pair of zero-day security issues have now been patched, we still have not received a patch for the MHTML issues that impact all versions of Internet Explorer, meaning we can look forward to an equally disruptive Patch Tuesday in March," said Paul Henry, security and forensic analyst at vulnerability management vendor, Lumension in a statement.

Exploit code surfaced in January targeting the MHTML protocol handler vulnerability. The flaw affects all versions of Windows, A victim can be infected by clicking on a malicious link on a website that leads to a HTML document. The technique injects malicious JavaScript onto the victim's browser, giving the attacker the ability to "spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user," Microsoft said in its advisory on the issue.

Miller said it would be difficult to determine what is in the pipeline for March as that is typically a "lighter month" in Microsoft's alternating of the workload. He went on to say the company does have at least one advisory from a month or so ago hanging over their heads but that, as of now, it was not a critical threat.

"In the last 4 to 5 months they're working very closely with the security researching partners," Miller said. "Just to even kind of play Nostradamus and try to guess what they're going to come with next is very interesting now … their light months are even big so next month, I couldn't tell you what is coming but I know they have a lot in their queue."