(http://i56.tinypic.com/11kz2n9.jpg)
Microsoft began 2011 with a light touch, but IT pros can expect a decidedly heavy February security update next Tuesday, according to Microsoft's advance notice issued today.
The patch will weigh in with a total of 12 security bulletins, with three rated "critical" and nine considered "important." Of the total, three bulletins will have remote code execution risk considerations. Expect to see five items with elevation-of-privilege implications. Rounding out the slate, Microsoft will address some denial-of-service and information-disclosure issues.
Critical Items
The first critical bulletin will be a much-anticipated fix for Internet Explorer. It likely will be cumulative because of the various in-the-wild threats exposed before this patch release. The fix will affect IE 6, 7 and 8 on all supported Windows operating systems.
One of the Internet Explorer flaws expected to be addressed in this patch is the memory flaw associated with a CSS function in the browser, as described by Microsoft earlier in security advisory 2488013 (http://www.microsoft.com/technet/security/advisory/2488013.mspx).
However, security experts don't think the recent MHTML issue in Windows/Internet Explorer will be addressed because the patch couldn't be configured in time. Microsoft did release a workaround for that issue in security advisory 2501696 (http://www.microsoft.com/technet/security/advisory/2501696.mspx), but security pros say the priority level of the threat thus far remains low.
So how does Microsoft propose to deal with the problem right now? Well in the absence of a patch for that issue, Microsoft recommends that users do the following:
► Enable the MHTML protocol lockdown (http://support.microsoft.com/kb/2501696) and click on fix it for me.
► Set your settings to “High” for both the Internet and Local intranet security zone settings. This will block ActiveX Controls and Active Scripting in these zones.
►Have a prompt automatically activate to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
Critical security bulletin No. 2 will be for Windows systems, affecting every release except for Windows 7 and Window Server 2008. The final critical bulletin on tap, critical patch No. 3, also will be a Windows fix, but it will affect every supported version.
Important Items
Microsoft is planning a Windows fix in its first important item, which will affect Vista, Windows Server 2008 and Windows 7. Important item No. 2 will only touch Windows Server 2003.
Important bulletin No. 3 will be an update for Microsoft Office, the Visual Studio development environment, and Visio applications (versions 2002, 2003 and 2007).
Expect to see an information disclosure fix in the fourth important item. It will address that problem in Windows 7 and Windows Server 2008.
Important bulletin No. 5 will be a rare fix for Windows XP, which is no longer supported, and Windows Server 2003.
The sixth important bulletin will be a fix for every supported Windows OS plus a Windows update; the same scenario can be expected with important item No. 7.
Important items No. 8 and No. 9 both will address systems running Windows XP and Windows Server 2003.
All of the fixes in the February patch may require a restart after being applied.
Paul Henry, forensic and security analyst at Lumension, wondered if the light-heavy patch trajectory last year from month to month will constitute history "repeating itself with massive reboots."
"Although Microsoft appears to be doing a bit of spring cleaning this Patch Tuesday with a lot of regular 'run of the mill' stuff, it can't be emphasized enough that this will be a massive simultaneous reboot," he said. "And historically, we've seen services greatly impacted when such a huge number of machines require reboots."
Meanwhile, Windows IT pros can tap this Knowledge Base (http://support.microsoft.com/kb/894199/en-us) article for info on nonsecurity updates flowing through Windows Server Update Services, Windows Update and Microsoft Update.
For more detailed information refer to this Advance Notification Service (http://blogs.technet.com/b/msrc/archive/2011/02/03/advance-notification-service-for-the-february-2011-security-bulletin-release.aspx) for the February 2011 Security Bulletin Release