Tuesday, February 08, 2011

Security Bulletin Release for February, 2011

Microsoft released twelve (12) security bulletins addressing 22 issues in Microsoft Windows, Internet Explorer, Office, Visual Studio, and IIS.  Three bulletins are rated Critical, the remaining nine are rated Important.  

The updates addressed two Security Advisories:  Security Advisory 2490606 (public vulnerability affecting Windows Graphics Rendering Engine) and Security Advisory 2488013 (public vulnerability affecting Internet Explorer).

Important Note:  If you installed Microsoft Fix it Solutions for two either or both of the two Security Advisories, they need to be disabled prior to installing the updates.  As noted in Microsoft Fix it Available for Security Advisory 2488013, it is particularly important that the Microsoft Fix it be disabled.

Disable: Microsoft Fix it 50593 (Security Advisory 2490606)
Disable: Microsoft Fix it 50592 (Security Advisory 2488013)

Also included is an update to Security Advisory 967940, "Update for Windows Autorun,".  As explained in the MSRC Blog, the purpose of the update is
"to change how earlier versions of Windows handle security when reading "non-shiny" storage media. ("Shiny" storage media would include CD-ROMs and DVDs.) Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction. With the change to the Advisory, earlier versions of Windows that receive their updates automatically via Windows Update "AutoUpdate" will now gain that security-conscious functionality as well. We believe this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker."

Microsoft also released an updated Malicious Software Removal Tool this month.

The three critical updates are described as follows:
  • MS11-003. This bulletin resolves three critical-level and moderate-level vulnerabilities affecting all versions of Internet Explorer. Due to existing mitigations, this bulletin is only rated at Moderate severity for all versions of Windows Server, has an Exploitability Index rating of 1, and will deprecate Security Advisory 2488013.
  • MS11-006. This bulletin addresses one Critical-level vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer versions of our operating system are unaffected. The vulnerability involves Windows Shell Graphics and could if exploited lead to remote code execution. This has an Exploitability Index rating of 1 and will deprecate Security Advisory 2490606 which we released on January 4th. Since that time, we have not seen any attacks against this issue.
  •  MS11-007. This bulletin addresses one privately reported vulnerability affecting all supported versions of Windows and involving the OpenType Compact Font Driver. It's rated Critical for Windows Vista, Windows 7, Server 2008 and Server 2008 R2; it's rated Important for Windows XP and Server 2003. This issue has an Exploitability Index rating of 2.

For complete details, see the references listed below.


Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Anonymous said...

"it is particularly important that the Microsoft FixIt be disabled (before applying the security update)".

In the event someone failed to notice this... i.e., if they installed the security update(s) withOUT having disabled either or
both of the FixIts... how should they proceed at this point?

Corrine said...

Hi. Good question.

Based on the nature of the MS11-003 update, if the Fix it has not been disabled, the update should result in a failed installation message.