Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft delivers 'big month' of patches, quashes 22 bugs

None | Feb. 25, 2011
Operating Systems

FRAMINGHAM, 8 FEBRUARY 2011 Microsoft (MSFT) issued 12 security updates that patched 22 bugs in Windows, Internet Explorer (IE), Office and its Internet server software.

An analyst suspected that one of the dozen updates was released to prevent hackers from exploiting Windows 7 in the Pwn2Own contest slated to start in four weeks.

"I think this was a strategic move by Microsoft to prevent [researchers] from using the vulnerability as a mechanism to bypass ASLR," said Andrew Storms, director of security operations for nCircle Security, referring to the MS11-009 update that patched a bug in the JScript and VBScript scripting engines within Windows.

At Pwn2Own, which runs March 9-11 at the CanSecWest security conference, attackers armed with unpatched vulnerabilities and corresponding exploits will try to hack browsers running on Windows 7. To do so, they must sidestep ASLR -- for "address space layout randomization" -- one of Windows 7's two anti-exploit technologies.

Three of the 12 updates were labeled "critical," Microsoft's most serious threat ranking. The remaining nine were marked "important," the second-highest rating.

Microsoft put the spotlight on the trio of critical bulletins, telling users to install them as soon as possible, while several security researchers tapped two of the three.

"This is a big month of bulletins, but users should patch MS11-003 and MS11-006 immediately because both address zero-day vulnerabilities," noted Jason Miller, the data and security team manager for Shavlik Technologies.

MS011-003 , a four-patch update for IE, plugged the hole that Microsoft acknowledged Dec. 22, 2010, several weeks after French security firm Vupen issued a bare bones advisory that said all versions of IE were vulnerable. Shortly after that, Microsoft warned users that attackers were exploiting the bug.

According to Storms, Microsoft called it on the IE vulnerability. "They were right on target with this one," he said, referring to Microsoft's decision to defer an emergency, or "out-of-band," update earlier. "This was nicely on cycle."

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), noted that the company's antivirus group, which tracks the volume of attacks using its own data as well as that provided by customers, showed a spike in attacks only in the last week or so.

"Microsoft did the right thing [by waiting]," said Miller. "We all want vulnerabilities fixed, but I don't want [Microsoft] to rush anything out."

Meanwhile, MS11-006 patched a critical flaw in how Windows XP, Vista, Server 2003 and Server 2008 render thumbnail images inside folders. The bug was disclosed in mid-December 2010 at a South Korean security conference, and Microsoft published an advisory Jan. 4. At the time, the company said it would not release an out-of-band patch for that problem, either.

 

Sign up for CIO Asia eNewsletters.