Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft has released 12 patches to correct 22 vulnerabilities, including two zero-day bugs, as part of its February security update.
Most experts designated the priority patch to be bulletin MS11-003, which fills four holes, three rated "critical" and one "important," in Internet Explorer. One of the vulnerabilities fixed is publicly known, affecting all supported versions of the browser. Exploit code was posted shortly after Microsoft revealed the flaw in December.
"Even though the attacks have been limited, this vulnerability needs to be patched immediately as future attacks are likely," said Jason Miller, data team manager at Shavlik Technologies, which makes vulnerability management products.
Another major fix is MS11-006, which resolves another publicly known vulnerability, this one in the Windows Shell graphics processor and impacting Windows XP, Vista, Server 2003, and Server 2008. So far, Microsoft has not seen any active attacks.
"The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image," according to the advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Finally, Microsoft recommends administrators prioritize MS11-007, which addresses a single vulnerability in the Windows OpenType Compact Font Format driver.
Aside from the remaining nine patches, which drew "important" ratings, Microsoft also announced plans to push out an update to AutoRun, described in an advisory originally released in February 2009, as part of Windows Update. Malware that propagates via the AutoRun capability has become more common in recent months.
"Windows 7 already disables AutoRun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction," Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote in a Tuesday blog post. "With the change to the advisory, earlier versions of Windows that receive their updates automatically via Windows Update 'AutoUpdate' will now gain that security-conscious functionality as well."
Microsoft failed to patch any of the five vulnerabilities revealed on Monday by TippingPoint's Zero Day Initiative, which promised roughly six months ago to disclose as soon as Feb. 4 any unfixed bugs that had been reported to the bounty service.
Microsoft reportedly was planning to patch the flaws in Tuesday's update but pulled them for quality assurance reasons.
Separately, Adobe patched 68 flaws across its Reader and Acrobat, ColdFusion, Shockwave Player and Flash Player product lines.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.