Microsoft Releases Massive Patch for 57 Vulnerabilities

February's Microsoft Security Update arrived today with a larger-than-usual 12 bulletins -- five rated "critical" and seven "important."

The large monthly patch, which covers 57 vulnerabilities, is highlighted by a security bulletin for Internet Explorer (MS13-009). This cumulative Internet Explorer fix addresses 12 vulnerabilities that could lead to remote code execution (RCE) attacks if a user clicked on a malicious Web page.

However, that's not the only item that addresses Microsoft's Internet browser for the month. Bulletin MS13-010 targets a flaw in M Security experts typically recommend that users prioritize any Internet Explorer fixes first in the patch cycle. Adding to that advice, Wolfgang Kandek, CTO of Qualys Inc. said that bulletin MS13-010 should be updated as soon as possible.

"It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild," said Kandek. "The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible."

Once the two Internet Explorer items have been updated, Microsoft recommends that IT shops with Windows XP deployed should turn their attention to security bulletin MS13-020 -- a fix for a vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation.

Bulletin MS13-011, the second-to-last critical item for February, addresses a publicly disclosed hole in Windows XP, Vista, Windows Server 2003 and Windows Server 2008. "The most severe vulnerability is in Microsoft Exchange Server WebReady Document Viewing, and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA)," according to Microsoft.

The final critical item, bulletin MS13-012, also concerns the threat of attack by specially crafted OWA files, with the hole lying in Microsoft's Exchange server.

After these five bulletins have been successfully installed, the final seven important fixes should be deployed based on the use of the affected software. Information on these items can be found in the Microsoft Security Bulletin Summary.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.