Microsoft Security Fixes Arrive With More Vulnerabilities

Microsoft on Tuesday released 12 security bulletins addressing 22 vulnerabilities as part of its regularly scheduled patch cycle.

Five of the vulnerabilities are designated "critical" and should be patched as soon as possible. Affected software includes Internet Explorer, Office, and Windows.

Microsoft's security patch closes three zero-day vulnerabilities related to Internet Explorer Cascading Style Sheets (CSS), Windows thumbnail images, and an IIS FTP flaw. HP/TippingPoint's Zero Day Initiative (ZDI) however disclosed five new ones: four affecting Excel and one affecting PowerPoint.

The IE CSS flaw is being actively exploited, according to Symantec, and should be fixed immediately. The relevant patch, MS11-013, covers two privately reported vulnerabilities. Joshua Talbot, security intelligence manager with Symantec Security Response, expects that if cybercriminals are able to reverse engineer the patch, we will see attempts to exploit the related uninitialized memory corruption vulnerability.

It's going to be a particularly busy month of patching. Adobe is expected to release a security update on Tuesday while Oracle is expected to release its quarterly security update later in February. And ZDI on Monday, per its disclosure policy, published 21 zero-day vulnerabilities affecting various enterprise vendors, including Microsoft.

"These vulnerabilities were made public before the patches were actually available because the advisory had been in the vendor's hand for longer than 180 days," explained Qualys CTO Wolfgang Kandek.

Microsoft has been frequently criticized for its slow response to security flaws. Last summer, a team of Google security researchers in a blog post wrote, "We’ve seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers."

Microsoft has continued to defend its view of what responsible disclosure should be and characterized Google's approach as amplifying risk.

In addition to its monthly security patch, Microsoft also released a security advisory stating that it has released an update to its Autorun feature that will restrict AutoPlay functionality to CDs and DVDs. If deployed, this update will reduce the danger posed by USB thumb drives, which can be rigged with malware designed to infect through the Autorun mechanism.

"[T]he delivery of the disabled Autorun for thumb drives is a huge increase in security for users," said Tyler Reguly, technical manager of security research and development for nCircle, in an e-mailed statement. "Malware commonly spreads via Autorun, and lately we've seen malware ship on a large number of consumer products, so this added protection can only be good for the end user."