Microsoft Releases Massive Patch for 57 Vulnerabilities
February's Microsoft Security Update arrived today with a larger-than-usual 12 bulletins -- five rated "critical" and seven "important."
The large monthly patch, which covers 57 vulnerabilities, is highlighted by a security bulletin for Internet Explorer (MS13-009). This cumulative Internet Explorer fix addresses 12 vulnerabilities that could lead to remote code execution (RCE) attacks if a user clicked on a malicious Web page.
However, that's not the only item that addresses Microsoft's Internet browser for the month. Bulletin MS13-010 targets a flaw in M
Security experts typically recommend that users prioritize any Internet Explorer fixes first in the patch cycle. Adding to that advice, Wolfgang Kandek, CTO of Qualys Inc. said that bulletin MS13-010 should be updated as soon as possible.
"It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild," said Kandek. "The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible."
Once the two Internet Explorer items have been updated, Microsoft recommends that IT shops with Windows XP deployed should turn their attention to security bulletin MS13-020 -- a fix for a vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation.
Bulletin MS13-011, the second-to-last critical item for February, addresses a publicly disclosed hole in Windows XP, Vista, Windows Server 2003 and Windows Server 2008. "The most severe vulnerability is in Microsoft Exchange Server WebReady Document Viewing, and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA)," according to Microsoft.
The final critical item, bulletin MS13-012, also concerns the threat of attack by specially crafted OWA files, with the hole lying in Microsoft's Exchange server.
After these five bulletins have been successfully installed, the final seven important fixes should be deployed based on the use of the affected software. Information on these items can be found in the Microsoft Security Bulletin Summary.